Opendir Alert: Potential Malware Files Detected

Security researchers have identified an unprotected web directory hosting dozens of executable files, including a deprecated anti-rootkit utility historically targeted by advanced malware operators.

The repository at support[.]bankston[.]org/malware/?MD contains 47 Windows binaries, with TDSSKiller.exe – Kaspersky Lab’s discontinued rootkit removal tool – appearing alongside unverified binaries exhibiting suspicious naming conventions.

Misconfigured Server Reveals Hybrid Threat Landscape

According to the post from cyberfeeddigest, the exposed directory, running Python’s SimpleHTTPServer on port 9998, follows patterns observed in recent Rekoobe backdoor campaigns and red team tool leaks.

Analysis reveals two risk vectors:

1. Legacy Security Software: TDSSKiller.exe (v3.1.0.21), last updated in 2016, remains vulnerable to process hollowing attacks despite its SHA-256 integrity checks. Malware families like Necurs have historically abused their digital signature to bypass heuristic analysis.
2. Payload Delivery Infrastructure: The directory’s structure suggests staged loading mechanisms, with 32-bit/64-bit binaries mirroring the TDL-4 rootkit’s multi-architecture deployment patterns. Network traffic captures show attempted connections to 27.124.45[.]146:12345, an IP linked to recent Rekoobe C2 operations.

Security analysts emphasize that such open directories often serve dual purposes – accidental exposure of operational infrastructure and intentional distribution of obfuscated payloads.

The presence of a deprecated security tool complicates threat attribution, as both defenders and attackers historically utilized TDSSKiller for driver-level system analysis.

TDSSKiller.exe: From Remediation Tool to Attack Vector

Kaspersky’s termination of TDSSKiller updates in 2021 created an evolving threat landscape:

Technical Paradox:

• Static Analysis Risks: The utility’s kernel-mode driver (klif.sys) lacks modern HVCI protections, enabling malicious code injection via \Device\PhysicalMemory manipulation
• Signature Abuse: Multiple malware campaigns spoof TDSSKiller’s digital certificate to deploy cryptojackers and ransomware droppers

Recent telemetry shows a 214% increase in malicious processes masquerading as tdsskiller.exe since Q4 2024, particularly in attacks against financial institutions.

The Bankston.org directory’s TLS 1.0 configuration and missing X.509 basic constraints further suggest deliberate adversary tradecraft rather than accidental exposure.

Mitigation Strategies for Exposed Directories

Organizations should implement these defensive measures:

Network Layer Protections

• Deploy IDS rules detecting HTTP GET patterns to /malware/ paths
• Block egress traffic to known malicious ports 12345/TCP and 9998/TCP

Endpoint Security Enhancements

• Replace legacy utilities with modern EDR solutions validating image certificates via RFC 3161 timestamps
• Configure application allowlists rejecting SHA-1 signed binaries

Threat Intelligence Integration

• Monitor VirusTotal for IOCs linked to the directory’s IP space (ASN 45102)
• Implement SIGMA rules detecting process trees combining tdsskiller.exe with suspicious child processes

The Cybersecurity and Infrastructure Security Agency (CISA) has added the disclosed IP to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to sever connections within 24 hours.

Private sector organizations are advised to conduct forensic analysis of systems showing:

• Unexpected TDSSKiller execution events (Event ID 4688)
• Network flows to bankston[.]org’s /malware subdomain
• Kernel object modifications via \Registry\Machine\System\CurrentControlSet\Services\KLIF

This incident underscores the evolving risks of abandoned security tools in modern attack chains.

As threat actors increasingly weaponize legacy utilities, organizations must prioritize the lifecycle management of defensive software alongside continuous network monitoring.

Also Read:

GitHub Repository Suspected of Hosting Malware

See more