RSA Admin

Detecting Slugin Backdoor Trojan Checkins

Blog Post created by RSA Admin Employee on Jan 17, 2014

The Slugin Backdoor Trojan is a veteran piece of malware that has been around for about three years or more.  Once a host is infected by the malware, it will reach out to a webserver and notify the cyber criminal that an infected host is alive on the internet, along with other local machine information.  This is what the notification traffic looks like:

 

76330

Do you see the query string that follows the question mark in the get request?  That is base64 encoded traffic.  This is what it looks like decoded:

 

ab0c2945-f56e-4976-812b-7d27ee8efcb3|az|2.1.12|5.1.3|COMPUTER-2QIWNS|user|1

 

As you can see, there is a unique identifier followed by version information, the computer name and information about the current logged in user.

 

The original sample of the infector file can be located here at VirusTotal.  As you can see there is wide agreement that this malware is "Slugin.A"

 

On a network, an infected host simply tries to checkin to the control server once.  This is what it looks like in SecurityAnalytics:

 

76331
76335

This is enough meta to explore whether or not this threat follows a predictable pattern.  I created a custom drill looking across our entire malware database for:

action=get && filename='process.php' && directory='/api' && query begins 'xy='

 

This is the result I saw:

 

76336

The behavior is indeed consistent across multiple Command Hosts.  But rather than using the complex drill above, it turns out that a simpler approach is to simply create a rule for the user-agent string of "pcicompliant/3.33"

 

It should be remarked that malware that masquerades as PCI Compliant traffic seems like an insidiously clever idea.  However, with Security Analytics, it makes that traffic stick out like a sore thumb, which is what brought it to my attention in the first place.

 

All hosts shown above have been added to the FirstWatch C2 Domains list, and the malicious user-agent string should be added as a standalone rule or appended to the Malicious UA Strings feed previously posted here.

 

The rule would be called Slugin Trojan Traffic Detected and its contents would be:

client='pcicompliant/3.33'

 

Good luck and happy hunting.  A pcap is attached for demonstration and testing purposes.

Attachments

Outcomes