PUP(potentially unwanted program) packages that install’s along with Chinese software’s consist of backdoors targeting English speakers. The backdoor was uncovered by Malware bytes research team by analyzing a China-developed WiFi hotspot application.

Distribution of Backdoor

These backdoors are being dropped by one of the major PUP bundler networks and then the bundler runs the installation hidden with argument /silent.

Installer will drop a set of 7zip files, in the middle of those files there are two driver files with same functionality one for 32-bit windows and other for 64-bit Windows.

Malicious backdoor Targets

According to Malware bytes at the entry point, drivers will check for the operating system types, if that dosen’t fall in it’s compatibility list then the driver will not load.

Targetted Windows Versions

This driver will not load if your windows version v1607.

Application packed with backdoor

Clearly, some Chinese developer really didn’t want their backdoor to be discovered, said by Zammis Clark.

Searching on VirusTotal enabled me to find several Chinese applications with similar drivers including the very same backdoor Zammis Clark.

The latest version of the mentioned Chinese calendar application no longer has the driver.

Proof of concept

POC for this HelpDetectWz functionality to load an unsigned driver is available. It includes binaries for both X86 and X64 systems which will bug check the system when loaded.

Also Read: