KIVARS

By GoldSparrow in Backdoors

Translate To:

KIVARS is a backdoor threat that affected only 32-bit systems. However, the cybercriminals behind it developed a second version designed for 64-bit targets. KIVARS is delivered to the compromised computers during the second stage of the attack chain. The initial malware infection is performed by a threat called 'TROJ_FAKEWORD.A' that acts as a dropper. Once executed, it downloads two executable files named 'TROJ_KIVARSLDR' and 'BKDR_KIVARS,' and a decoy MS Word document that serves as a diversion shown to the user. The files are dropped at:

%windows system%\iprips.dll – TROJ_KIVARSLDR
%windows system%\winbs2.dll – BKDR_KIVARS
C:\Documents and Settings\Administrator\Local Settings\Temp\NO9907HFEXE.doc – decoy document

The role of 'TROJ_KIVARSLDR' is to load the actual backdoor payload from 'BKDR_KIVARS' and execute it in memory. As for the KIVARS, it is equipped with all the harmful functions expected from a backdoor threat giving the attackers near full control over the compromised system. They can manipulate the file system, download and upload files, take arbitrary screenshots, control the mouse and keyboard by triggering clicks and inputs, manipulate the active windows, etc. The backdoor also is equipped with a keylogger module that deposits the grabbed inputs into a file named 'klog.dat.'

During the initial communication with the Command-and-Control (C2, C&C) servers set up by the hackers, KIVARS includes various system information. The threat sends the victim's IP address, OS version, username, hostname, keyboard layout, and the recent document /desktop folder to the attackers in an encrypted form. The threat also includes its own version in the sent data.

The updated KIVARS versions that include attacks against 64-bit targets show little deviation in terms of functionality, apart from two prominent changes. First, the files for the loader and the delivered backdoor threat are assigned random names. The second update affects the way the backdoor payload was being encrypted. Unlike the earlier versions of the threat when only the 'MZ' magic byte was encrypted, the later variants use a modified RC4 algorithm for the encryption.

It should be observed that the threat actors behind KIVARS also deployed the Remote Access Trojan (RAT) POISON.

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

KIVARS

Submit Comment

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen