As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for:
- Win32/Bedep – Trojan family
- Win32/Upatre – Trojan family
- Ransom:MSIL/Samas – Ransomware family
In this blog, we’ll focus on the Bedep family of trojans.
The bothersome Bedep
Win32/Bedep was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:
JS/Axpergle and HTML/Axpergle have been known to carry and drop Bedep around by redirecting unsuspecting users to compromised websites.
Bedep is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:
All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.
- Collect information about your PC to send it off to the malware perpetrator
- Update the downloaded malware
The good thing is, Windows Defender detects and removes Bedep and its variants.
This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.
Figure 1: The map shows Win32/Bedep’s prevalence in North America, Latin America, Europe, and South East Asia in the last six months.
Figure 2: The pie chart shows the Bedep distribution among the top 10 countries for the past six months
The exploit shellcode sometimes loads Bedep directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.
It can either be installed as 32bit DLL (Backdoor:Win32/Bedep.A) or 64bit DLL (Backdoor:Win64/Bedep.A), depending on the affected Windows OS version.
This threat is initially loaded by shellcode running in an exploited browser process (for example, iexplore.exe). Then, the threat downloads a copy of itself and injects that into explorer.exe.
We’ve also seen that Bedep can drop itself as %ProgramData%<{CLSID}><filename>.dll
Example path and file names: C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll.
It then creates the following registry entries:
In subkey: HKEY_CURRENT_USERCLSID%Random CLSID%InprocServer32
Example: HKEY_CURRENT_USERCLSID{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}InprocServer32
Sets value: “ThreadingModel“
With data: “Apartment“
Sets value: “”
With data: %Bedep Filename%
Example: “C:ProgramData{9A88E103-A20A-4EA5-8636-C73B709A5BF8}acledit.dll“
In subkey: HKEY_CURRENT_USERDriveShellExFolderExtensions%Random CLSID%
Example: HKEY_CURRENT_USERDriveShellExFolderExtensions{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}
Sets value: “DriveMask“
With data: dword:ffffffff
For details about various Bedep variants, see the following malware encyclopedia entries:
Mitigation and prevention
To help stay protected from Bedep and other threats, use an up-to-date Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.
Though trojans have been a permanent fixture in the malware ecosystem, there’s still something that you or your administrators can proactively do:
- Block the IP addresses of the corresponding compromised websites soon as the administrator identifies the list of sites that Bedep maliciously redirects into.
- Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
- Disable the loading of macros in Office programs
- Disable macro loading through the Group Policy settings.
- Keep your software up-to-date to mitigate possible software exploits.
- Protect derived domain credentials with Credential Guard for Windows 10 Enterprise.
- Secure your code integrity with Device Guard for Windows 10 Enterprise.
- Secure the lateral account movement in your enterprise.
- Use two-factor authentication with Microsoft Passport and Windows Hello.
- Ensure that a strong password policy is implemented throughout the enterprise.
Jonathan San Jose
MMPC