Symantec recently received a new sample of Backdoor.Korplug that signs itself with a stolen certificate. It also made use of legitimate software, but this time there is something different from what was revealed in our previous blog entry.
Figure 1. Loading sequence
From the data we have seen, the attacker removed the signature on the original executable and replaced it with their own.
Figure 2. Legitimate program compiled in 2011, but signed in 2012
We compared the file, NvSmart.exe, with the originals and we can confirm that they are the same executable file.
Figure 3. NvSmart.exe and NvSmartMax.dll signed at almost the same time (only three minutes apart)
There is some evidence to suggest that the DLL is not legitimate, but malicious. Firstly, the legitimate NvSmart.exe file imports three functions from NvSmartMax.dll.
Figure 4. Imported functions from NvSmartMax.dll
When we look at the NvSmartMax.dll, file we find that it exports three functions, as shown in Figure 4. But the three functions link to an identical address and the functions do nothing.
Figure 5. Functions exported by NvSmartMax.dll do nothing
Moreover, the NvSmartMax.dll file has the same work path as the malicious executable file that we grabbed from NvSmart.dat, but the legitimate NvSmart.exe file does not.
Figure 6. The same work path as Backdoor.Korplug
Also, the NvSmartMax.dll file accesses the %UserProfile%\SXS\bug.log file that is specifically used by Backdoor.Korplug.
Figure 7. NvSmartMax.dll accesses %UserProfile%\SXS\bug.log
All of the above information suggests that the DLL can only have a malicious purpose: a loader for Backdoor.Korplug.
The attacker first chose the legitimate NvSmart.exe file and then built a bogus NvSmartMax.dll file to replace the genuine one. The two files were then signed with the stolen certificate in order to distribute them with the malicious NvSmart.dat file.
We have requested this stolen certificate be revoked.