Team9 Backdoor

Team9 backdoor is a malicious software designed to exploit and damage computer systems. It infiltrates the system through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The malware operates in two main components: the loader and the backdoor. The loader's core functionality is to download the Team9 backdoor component from the command and control server, particularly if the '-p' parameter has been passed into the command line. Each domain hosts two versions of the Team9 backdoor on different URIs, one for each Windows architecture (32-bit and 64-bit), with the use of two domains likely serving as a backup method. The Team9 loader and backdoor components are identified by unique Mutex names such as mn_185445, {589b7a4a-3776-4e82-8e7d-435471a6c03c}, and ld_201127. Different URIs have been identified that possibly download the 32-bit and 64-bit versions of the Team9 loader and backdoor. These include /api/v117, /api/v118, /api/v119, /api/v120, /api/v85, /api/v86, /api/v87, and /api/v88 for the loader variant. For early variants of the loader, the URIs include /api/v108, /api/v107, /api/v5, /api/v6, /api/v7, and /api/v8. An interesting aspect of the Team9 backdoor is its decryption method. Unlike the loader which decrypts received network replies from the command and control server using the host’s date as the key, the Team9 backdoor uses the bot ID as the key. Furthermore, an early development version of the malware, which is the Team9 backdoor, was analyzed. The loader contains two '.bazar' top-level domains which point to the Team9 backdoor, emphasizing the complexity and multi-faceted nature of this malware.