Trend Micro -
While analyzing samples, we found that the C&C server was already inactive. Without knowing the traffic between SmileSvr and C&C server, we could not fully understand all functions. However, most of the backdoor functions are listed here:
Command code Function 0x5001 Opens/Reads specified file 0x5002 Unknown 0x5004 Opens/Writes specified file 0x5006 Opens command shell 0x5007 Unknown 0x5009 Closes command shell 0x500A File System Traversal 0x500C Checks environment information 0x500E Unknown
As for the SSL version of SmileSvr, the capability of SSL communication is built by using wolfSSL, which is a lightweight, C-language based SSL/TLS library. The backdoor functions of SSL version SmileSvr are similar to the ICMP ones. The threat actors just use it to develop new ways to support data transfer via an encrypted channel.
Customized Gh0st RAT
In our investigation, we also found a suspicious executable named telegram.exe. After analyzing the file, we found that it was a customized version of Gh0st RAT. Compared to the original Gh0st RAT (Gh0st beta 3.6), the difference is that the customized version supports a new function to discover information from active sessions on the host.
All supported functions for the customized Gh0st are shown in the following table: