Home Malware Programs Remote Administration Tools Kaba

Kaba

Posted: November 6, 2014

Threat Metric

Threat Level: 8/10
Infected PCs: 89
First Seen: November 6, 2014
OS(es) Affected: Windows

Kaba is one in a series of backdoor Trojans employed by the Chinese hacking group of Axiom, which has conducted extensive and well-organized threat campaigns against prominent companies, non-profits and national governments around the world. Although Kaba may occupy a 'middleman' position, wherein its main purpose is to install even worse threats than itself, Kaba does include backdoor attacks that could let third parties access a PC with minimal restraints. Deleting Kaba with anti-malware software obviously is a high-priority response, but paying proper attention to e-mail security may limit its distribution.

Why You Should Double-Check Your Documents Before Trusting in Excel

Kaba, bearing numerous aliases that include PlugX, Sogu and DestroyRAT, is a backdoor Trojan that makes contact with a remote server. This contact is meant to give third parties an entry point to issue commands, install threats or gather files. While malware experts have noted that Kaba's current level of distribution is low, this largely happens thanks to the high degree of expertness in its attacks, which target government branches, NGOs and corporate entities. Kaba's normal entry method is via e-mail attachments bearing the file suffixes of spreadsheets or text documents. However, Kaba also may be installed through a compromised website.

Kaba also may use different methods to run its code. Of these methods, perhaps the most infamous is the feature of some Kaba variants to exploit McAfee-brand anti-virus software, forcing the applications to load fraudulent DLL components of the Trojan. Separately from its variant designs, Kaba also may include consistent payload capabilities:

  • Kaba may receive instructions from a C&C server enabling Kaba to change security settings, including disabling some safety features.
  • Kaba may install secondary threats, such as the PoisonIvy RAT.
  • Files on a compromised PC may be uploaded by Kaba to its C&C server, insuring the easy theft of information.

Keeping Your E-mail Clean of Kaba Problems

Although probable targets of Kaba campaigns by Axiom and other third parties are unlikely to be able to prevent e-mail attacks completely, they can take steps to block the installation of Kaba or similar Trojans, such as Fexel. Scanning documents that have the potential to host Kaba-installing vulnerabilities can give your anti-malware products chances to identify the threat. Installing all available updates also can insure that non-zero-day exploits can't be used to install Kaba, although zero-day attacks may only be identifiable heuristically.

Since Kaba may be installed by related threats, and install other threats as a part of its payload, any attempts to remove Kaba should use methods that can detect related threats, as well. While Kaba has many variants, prominent anti-malware brands also have developed various identification methods for this backdoor Trojan, which should provide the necessary protection when preemptive solutions falter.

Related Posts

Loading...