The October release of the Malicious Software Removal Tool (MSRT) is directly related to a Coordinated Malware Eradication (CME) initiative led by Novetta and with the help of many other security partners: F-Secure, ThreatConnect, ThreatTrack Security, Volexity, Symantec, Tenable, Cisco, and iSIGHT. Collaboration across private industry is crucial to addressing advanced persistent threats.
The target in this campaign is an advanced persistent threat that served as the infrastructure of actors that launched targeted attacks against multiple organizations around the world. This month, the MSRT along with all of the partners in our Virus Information Alliance program are releasing new coverage for this infrastructure: Win32/Hikiti and some of the related malware families, Win32/Mdmbot, Win32/Moudoor, Win32/Plugx, Win32/Sensode, and Win32/Derusbi.
Novetta has released an executive summary on this threat, which contains the initial findings of the impact of these families. It will be followed up with a more detailed report in a few weeks as our partners in this CME campaign work together to assess the overall impact of the operation.
A bit of history about Hikiti. We first detected the Hikiti family in 2012. The name Hikiti is associated with the Hikit string usually found as a part of a PDB file:
Figure 1: Hikiti is associated with the Hikit string usually found in a PDB file
Hikiti is usually installed after a machine has been compromised through an exploit. For instance, we’ve seen the vulnerability discussed in CVE-2013-3893 being exploited to install Hikiti as a payload.
Once this threat successfully enters a system it can install other malware. In some cases other malware are installed first and then install other members of the group. This can include the following, mostly backdoor malware families:
- Mdmbot
- Moudoor
- Plugx
- Sensode
- Derusbi
Similar to these families, Hikiti’s main payload is to act as a backdoor to give a malicious hacker access to download and run remote commands to control the system and steal sensitive information.
Some Hikiti versions drop an encrypted configuration (.conf) that contains the hosts that the malware tries to connect to. The encryption is usually XOR and the key is DWORD. Figure 2 shows an example of this .conf file being decrypted:
Figure 2: Hikiti .conf file being decrypted
To help protect yourself from Hikiti and other threats, run up-to-date, real-time security software, such as Microsoft Security Essentials or another trusted security software product. For more information about Hikiti and related threats, be sure to review the executive summary released by Novetta.
In a few weeks, we will follow up with an update on this campaign and provide more details on how it came together, its impact, and what we learned during the process.
If you are interested in working with Microsoft and other trusted security researchers in the industry by participating in a campaign, or, better yet, leading one like Novetta did, please read our CME page to find out more about the program, including how to apply.
Francis Tan Seng & Holly Stewart
MMPC