Backdoor Uses Socket.io for Bi-directional Communication
7.6.18 securityweek Virus

A recently discovered remote access Trojan is using a specialized program library that allows operators to interact with the infected machines directly, without an initial “beacon” message, G Data reports.

Dubbed SocketPlayer, the backdoor stands out because it doesn’t use the typical one-way communication system that most banking Trojans, backdoors, and keyloggers use. Instead, it employs the socket.io library, which enables real-time, bi-directional communication between applications.

Because of this feature, the malware handler no longer has to wait for the infected machine to initiate communication, and the malware operator can contact the compromised computer on their own.

G Data security researchers observed two variants of SocketPlayer in the wild, one acting as a downloader capable of executing arbitrary code from a website, while the other featuring more complex capabilities, including detection and sandbox evasion mechanisms.

Once it has been installed on a compromised machine, the malware waits for commands from the operator, and can perform a variety of actions, such as sniffing through drives, screenshot recording, fetching and running code, and more.

The researchers also discovered that other functions are also selectable, though they do not appear to have been implemented yet. One of them, for example, appears to have been intended as a keylogger, though no actual keylogging functionality is present in the backdoor.

The observed malware sample was being distributed through an Indian website, but it’s unclear how the backdoor spreads. Regardless of whether the website was used for infection purposes or only as a mirror, the malicious file remained unnoticed on it for a long time.

The first variant of SocketPlayer was first submitted to VirusTotal on March 28, with a second sample submitted on March 31, G Data explains in a technical report (PDF).

The infection routine starts with the downloader checking if it runs in a sandboxed environment. If it doesn’t, it fetches an executable file, decrypts it, and uses the Invoke method to run it in memory.

The invoked program creates a socket connection to the host hxxp://93.104.208.17:5156/socket.io, as well as a registry key to achieve persistence. It also checks if a Process Handler/ folder exists and creates it if it doesn’t. Next, the program creates an autostart key with the value “Handler.”

It also downloads another executable, which in turn downloads SocketPlayer, decrypts it, and runs it in memory.

The security researchers also noticed that the two variants of the backdoor went through a series of changes between samples, such as the use of a new command and control port, new file locations, different information sent in the initial routine, new commands added to the server, and new functionality included in the malware.