×
Uncategorized

New “YiBackdoor” Malware Lets Hackers Run Commands and Steal Data

Cybersecurity researchers at Zscaler ThreatLabz have identified a sophisticated new malware strain dubbed YiBackdoor, first detected in June 2025.

This emerging threat represents a significant evolution in backdoor technology, sharing substantial code similarities with established malware families IcedID and Latrodectus.

The discovery highlighted the continuous adaptation of cybercriminal tools, as YiBackdoor demonstrates capabilities that enable threat actors to maintain persistent access.

YiBackdoor’s design philosophy mirrors that of notorious banking trojans like Zloader and Qakbot, which have historically been repurposed from financial fraud tools into initial access brokers for ransomware operations.

The malware’s core functionality centers around providing attackers comprehensive control over infected systems, including the ability to collect sensitive system information, capture screenshots of user activities, execute arbitrary commands through both Command Prompt and PowerShell interfaces, and deploy additional plugins that dynamically expand its operational capabilities.

YiBackdoor incorporates sophisticated anti-analysis mechanisms specifically designed to evade detection by security researchers and automated malware analysis systems.

The malware employs multiple layers of obfuscation, beginning with dynamic API resolution through a custom hash-based lookup system that makes static analysis significantly more challenging.

The malware systematically identifies virtualized environments by leveraging the CPUID instruction with parameter 0x40000000 to detect hypervisors including VMware, Xen, KVM, VirtualBox, Microsoft Hyper-V, and Parallels.

Perhaps most notably, YiBackdoor implements a timing-based hypervisor detection mechanism that measures code execution delays characteristic of virtual machine environments.

This technique involves calling SwitchToThread followed by RDTSC instructions around CPUID calls that trigger VM exits, calculating execution times across 16 iterations to determine if the system is virtualized.

Network traffic encryption employs TripleDES with keys derived from configuration strings using the current day of the week as an offset, ensuring that encryption keys rotate automatically and making network-based detection more challenging.

Network dynamic key derivation function for YiBackdoor.
Network dynamic key derivation function for YiBackdoor.

Additionally, the malware encrypts critical strings at runtime using XOR operations with unique 4-byte keys, making static string analysis ineffective for security researchers.

Sophisticated Injection

The malware demonstrates advanced process injection capabilities through an unconventional technique targeting the svchost.exe process.

Rather than creating suspended processes, YiBackdoor creates a new svchost.exe instance and patches the RtlExitUserProcess function with custom assembly code that redirects execution flow to the malware’s entry point.

This approach allows the malware to execute its payload just as the target process terminates, potentially evading security products that monitor traditional injection methods.

For persistence, YiBackdoor establishes itself through the Windows Run registry key using a multi-stage approach.

Comparing the decryption routine from a (GZIP) IcedID downloader sample and the plugins’ decryption routine found in YiBackdoor. 

Comparison of YiBackdoor and IcedID GZIP decryption routines.
Comparison of YiBackdoor and IcedID GZIP decryption routines.

The malware copies itself to a randomly named directory, creates a registry entry pointing to regsvr32.exe with the malicious DLL path, and subsequently self-deletes the original file to hinder forensic analysis.

The registry value names are generated using pseudo-random algorithms based on the bot ID, making detection through static signatures more difficult.

YiBackdoor’s command and control infrastructure utilizes encrypted JSON-based communication protocols with dynamic encryption keys that change daily.

The malware constructs C2 URLs using a combination of hardcoded strings, runtime-generated bot IDs, and configuration parameters, following the pattern http(s)://C2/bot_id/uri1/uri2.

The malware supports six primary command types: system information collection, screenshot capture, arbitrary command execution through CMD and PowerShell, and plugin management for extending functionality.

Each command response is transmitted via HTTP POST requests containing task IDs, execution status indicators, and Base64-encoded output data.

This modular approach allows threat actors to adapt the malware’s capabilities post-infection based on specific target environments and objectives, making YiBackdoor a versatile tool for various attack scenarios.

Current intelligence suggests YiBackdoor remains in development or limited testing phases, with researchers observing minimal deployment instances and configuration files containing localhost IP addresses, indicating ongoing refinement of the malware’s operational capabilities.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

Related Posts

Post Comment

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by