Trojan.Heloag Downloader Analysis
Trojan.Heloag is a Trojan horse designed to manage the installation of other malware on the infected PC. This malcode gives complete control to the attacker and enables them to install arbitrary malcode on the PC. This one appeared in our zoo recently and after reading in an AV writeup about a possible DDoS capability within it, we investigated. Upon detailed inspection, this bot does not appear to have any DDoS capabilities built into it, it appears to only manage downloads on the infected PC.
Many of the samples analyzed were downloaded from 7zsm.com or elwm.net. The malware may download additional files from those domains. We do not know how big this botnet is, but we do see a handful of users in the wild.
Once launched, the malware will install itself in the WINDOWS directory. Names we have observed include:
The malware then installs a registry key to ensure that it starts when the user logs on:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon = [filename]
Where [filename] refers to the installed filename from above.
It then makes a connection to the C&C server for the botnet, often on TCP port 8090, to register itself and await commands. Traffic is usually preceded by a single byte to indicate the message purpose:
- 01 – initial hello
- 02 – keep alive, idle message
- 03 – download the named file
- 04 – connect to other peers
- 05 – send hostname to server
- 06 – clear
- 07 – close connection
An initial “HELLO” would therefore look like this:
where HOSTNAME is the Windows name of the computer. We often see a bot connect and get download commands for new EXEs to load onto the PC.
Trojan.Heloag infected hosts often download other malcode over HTTP from a central server, and can also connect to other bots over TCP, often using ports 7000-7010. It’s unclear what the purpose of this is, but it appears to be some form of peer-to-peer
Antivirus uses a handful of aliases for these samples. They aren’t consistent, which isn’t surprising, and the data on this downloader is very thin, as well. AV names we’ve seen include:
- Microsoft – Backdoor:Win32/Heloag.A
- Symantec – Suspicious.Insight
- F-Secure – Suspicious:W32/Malware!Gemini
- McAfee – Trojan.Crypt.XPACK.Gen
- Trend Mircro – PAK_Generic.001
We are tracking a handful of these controllers around the Internet, around a few dozen or so.