Botnet C&CLethic
Description
Lethic is a backdoor trojan that connects to a Command & Control server in order to provide access to the compromised computer. Lethic is primarily used to send spam messages.
Symptoms
Lethic may attempt to make connections to remote computers on ports (typically TCP) 1430, 8090 or other ports.
Lethic may drop the following files:
- shelldm.exe
- xcllsx.exe
Lethic may make the following registry changes:
- Modified Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
- Added value: 'Taskman'
- Added data: Path to malware and filename of malware
- Modified Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
- Added value: 'Shell'
- Added data: explorer.exe, path to malware and filename of malware
- Modified Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Added value: value
- Added data: Path to malware and filename of malware
Analysis
Lethic attempts to connect to a remote C&C server on various ports. Once it has established a connection it may then allow remote access or complete control of the infected system. Lethic typically uses infected machines in order to send spam.
Instructions
It is not recommended that any attempts to remove this family of malware be performed manually. Fortinet recommends running a full scan of your system using FortiClient Endpoint Protection to remove this threat.
