CrashReporter Backdoor
CrashReporter is a backdoor believed to have been created by the Lazarus Group advanced persistent threat or based heavily on their other tools.
It is delivered through the JMT Trader cryptocurrency trading client, which is itself available to download through a number of GitHub repositories.
This application appears to be identical to the legitimate QT Bitcoin Trader platform, suggesting CrashReporter’s operators have cloned it’s repository for their own uses. During installation, JMT Trader’s installer will extract CrashReporter and save it to the %AppData% folder, before creating the schedule task JMTCrashReporter to execute it whenever a user logs into the affected system.
Once installed, CrashReporter will connect to a command and control server to download any intended payloads, which are then installed on the affected system.
According to reverse engineer and researcher Vitali Kremez, when the CrashReporter.exe executable is launched, it wil connect back to a Command & Control server at beastgoc[.]com to receive commands.
You can read more about this here.
Indicators of Compromise
MD5 File Hashes
- 48971e0e71300c99bb585d328b08bc88
- 6058368894f25b7bc8dd53d3a82d9146
SHA1 File Hashes
- 8644da026f9e8873dd8699bd68c77a25001be726
- ec8d7264953b5e9e416b7e8483954d9907278f2f
SHA256 File Hashes
- 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641
- e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55
Command and Control Server
beastgoc[.]com
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.