Simda Backdoor Trojan

Simda (AKA Rloader) is a backdoor trojan that has previously been used to create a botnet with over 770,000 infected devices across multiple countries, including the UK, USA, France and Turkey.

Threat ID:: CC-1851
Category:: Browser-hijack, Trojan
Threat Severity:: Medium
Threat Vector:: Email spam, Exploit
Published:: 13 December 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Simda (AKA Rloader) is a backdoor trojan that has previously been used to create a botnet with over 770,000 infected devices across multiple countries, including the UK, USA, France and Turkey.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All Versions

Threat details

It can be delivered using numerous methods including SQL injection, email spam, exploit kit or browser hijacks.

Once installed, Simda alters the hosts file to associate popular domains such as Facebook, Google and Bing, with attacker-owned IP addresses. This file remains altered even when the malware is removed, providing a level of persistence. When an infected machine attempts to visit these domains, it is redirected to the new addresses, where an attacker will attempt to download further malware. The page hits generated by these redirects can be used for click fraud, or users can be served malicious adverts. Variants of Simda have also been observed redirecting users to less popular sites in an attempt to boost their search rankings. Once enrolled, the botnet can be used to perform distributed denial-of-service (DDoS) attacks or spam campaigns.

Simda has several anti-detection capabilities, checking for virtual machines or analysis tools before executing, and uses numerous different exploits to maintain backdoor access, cycling between these every few hours.

The command & control (C2) infrastructure used to control Simda was previously seized by an Interpol operation in April 2015, but new iterations of the malware have begun appearing again.

Remediation advice

To prevent and detect a trojan infection, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, antivirus and other security products are kept up to date. All day to day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place and password reuse is discouraged. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from infected machines should be reset on a clean computer.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, antivirus and other security products are kept up to date.
All day to day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place and password reuse is discouraged.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from infected machines should be reset on a clean computer.

Last edited: 17 February 2020 11:39 am