Siberia 2 – this time it’s personal

An update for those of you following the saga that is Pushdo (1, 2).

We’re still seeing unusual API calls, but recent variants have two slight variations on this theme. Firstly they check memory for the presence or absence of a “nop” instruction, partly in order to throw emulators even further off the scent. Secondly they’re using new offsets to pluck numbers directly from the operating system. The following example uses both of these tactics:

Pushdo calculations 4

These files are detected proactively as Troj/Pushdo-Gen, and the files it drops and injects are all detected as Troj/Pushu-Gen. In the latest variants we get more than usual of these layers, though looking at the debug symbol they use helps us anchor them as before: the dropper injects a sys file into memory (Install.pdb), which drops a second sys file to disk (protect.pdb), which injects a third sys file into memory (InnerDrv.pdb), which injects a fourth sys file into memory (Loader.pdb).

Each of the files in this chaotic chain has a chilly subtext similar to before, in a boring “sequel” fashion:

Pushdo Siberia2

Is “Siberia3” next, or can we expect a spin-off perhaps? Stay tuned for further developments.