Threat Research & Response Blog
Recently we discovered an advanced backdoor sample - VirTool:WinNT/Exforel.A. Unlike traditional backdoor samples, this backdoor is implemented at the NDIS (Network Driver Interface Specification) level.
Figure 1: Hooked functions in NDIS_OPEN_BLOCK
This means that backdoor-related TCP traffic will be diverted to the private TCP/IP stack and delivered to the backdoor, as illustrated in Figure 2.
Figure 2: The NDIS-level backdoor
VirTool:WinNT/Exforel.A implements the following backdoor functionalities:
The NDIS-level backdoor used by VirTool:WinNT/Exforel.A is much more low-level and stealthy than that used by traditional backdoors – there is no connecting/listening port so it is more difficult to notice. The backdoor traffic is completely invisible to user-mode applications.
This sample appears to be used for a specific attack targeting a certain organization.
Chung Feng-MMPC Melbourne