Home Malware Programs Malware BS2005

BS2005

Posted: July 31, 2019

The BS2005 backdoor Trojan is one of the hacking tools that the Ke3chang hacking group (APT15) used in some of their high-profile attacks against European ministries in 2013. While the event in 2013 seemed to be the last encounter of cyber-security experts with the BS2005 malware family, the group's backdoor Trojan appears to have surfaced under the name TidePool – however, it has also been reworked and improved completely by packing enhanced anti-sandbox features, and improved features.

BS2005 Is Spread via Phishing Emails

The original BS2005 project was used in the majority of the Ke3chang's attacks during the 2011-2013 period – the attackers usually relied on phishing emails that contained a corrupted file attachment. The topic of the email was based on the target's interests or current events – some of the common subjects were the United States army involvement in Syria and the London Olympics.

The behavior of the BS2005 malware contained one surprising quirk – upon launch, it would terminate the processes of a popular Chinese anti-virus software suite, as well as any processes used by the Maxthon Web browser. The latter step seemed illogical, but cyber-security experts soon found out that the backdoor uses the IWebBrowser COM Interface to communicate with the Command & Control (C&C) server – if any Maxthon Web browser instances were active when this interface was called, the browser would open a new tab pointing to the address of the control server. By terminating active Web browser instances, the attackers could easily prevent this.

The BS2005 Backdoor can Exfiltrate Data and Execute Remote Commands

The BS2005 backdoor Trojan also can employ archaic anti-sandbox techniques that are unlikely to be effective against sandbox environments that have been configured properly. Once the BS2005 backdoor is initialized successfully, it would connect to the attacker's server and listen for commands. The malware collects basic system details (username, OS version, installed services/software, network configuration) and transmits it to the server. The attackers were observed using the BS2005 backdoor to exfiltrate files from the compromised server, compress them in an archive, and then transfer them to the control server. The BS2005 backdoor also allows them to execute remote commands, which might be used to perform all sorts of tasks on the remote computer, including the installation of secondary payloads.

APT15's activities resurfaced in 2016, and the group has applied major changes to some of their flagship malware families such as BS2005, Okrum, Ketrican, RoyalDNS, andTidePool. The list of regions they target has also expanded, and they have been seen operating in the Middle East and Europe.

Loading...