CrashReporter Backdoor

CrashReporter is a backdoor believed to have been created by the Lazarus Group advanced persistent threat or based heavily on their other tools.

It is delivered through the JMT Trader cryptocurrency trading client, which is itself available to download through a number of GitHub repositories.

This application appears to be identical to the legitimate QT Bitcoin Trader platform, suggesting CrashReporter’s operators have cloned it’s repository for their own uses. During installation, JMT Trader’s installer will extract CrashReporter and save it to the %AppData% folder, before creating the schedule task JMTCrashReporter to execute it whenever a user logs into the affected system.

Once installed, CrashReporter will connect to a command and control server to download any intended payloads, which are then installed on the affected system.

According to reverse engineer and researcher Vitali Kremez, when the CrashReporter.exe executable is launched, it wil connect back to a Command & Control server at beastgoc[.]com to receive commands.

You can read more about this here.

Indicators of Compromise

MD5 File Hashes

  • 48971e0e71300c99bb585d328b08bc88
  • 6058368894f25b7bc8dd53d3a82d9146

SHA1 File Hashes

  • 8644da026f9e8873dd8699bd68c77a25001be726
  • ec8d7264953b5e9e416b7e8483954d9907278f2f

SHA256 File Hashes

  • 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641
  • e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55

Command and Control Server

beastgoc[.]com

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: