Trojan:Win32/Fauppod!ml Overview

Trojan:Win32/Fauppod!ml is a generic detection name that Microsoft Defender assigns to malware detected by its AI detection system. Typically, this detection points at the activity of an infostealer that primarily targets banking data. The “ml” in the detection name exactly indicates the use of a machine learning system, rather than traditional signature-based detection methods. Usually, over time, as more information about its behavior is analyzed, this detection gets a more specific detection name.

As mentioned at the beginning, the main goal of Fauppod is to steal the credentials of online accounts. One thing it goes for in particular is login credentials for online banking accounts.

Main spreading ways of this malware are malicious email attachments (attached Word or Excel files) in emails, or via sketchy game mods or other files from sketchy sources. Despite targeting specifically banking information, it is not picky about its victims, stealing info from all categories of users.

Fauppod Analysis

Let’s take a closer look at the technical part of how Fauppod!ml behaves on the system. The first thing the malware does after launching is to check if it is the only copy of malware running on the device. It achieves this by creating and accessing mutexes:

\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex.
\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex.

Since our example is a DLL file, it needs a legitimate Rundll32.exe process to run. The malware copies the legitimate Rundll32.exe file to the temporary folder C:\Users\User\AppData\Local\Temp\rundll32.exe and utilizing process hijacking techniques.

Next, the malware checks the UAC status and the presence of anti-malware on the system. It checks these registry keys to disable system defenses and ensure persistence:

HKEY_LOCAL_MACHINE\SOFTWARE
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Security
HKEY_CURRENT_USER\Software\Microsoft/Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft/Windows\CurrentVersion\Uninstall

Fauppod Execution

The malware executes shell commands that allow it to perform its main function:

C:\Users\User\AppData\Local\Temp\rundll32.exe rpl909.zip.dll
“C:\Windows\System32\rundll32.exe” C:\Users\A4148~1.MON\AppData\Local\Temp\b81d42902b581dd9fea37c4b6a8ff180.19772.dll,DllMain

After that, the malware deploys payloads and injects itself into legitimate processes, allowing it to function without raising suspicions from security software. It also manipulates processes such as wmiadap.exe, svchost.exe and cmd.exe, which are legitimate processes. The malware executes the following processes:

wmiadap.exe /F /T /R
%windir%\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
%windir%\system32\wbem\wmiprvse.exe.
%windir%\System32\svchost.exe -k WerSvcGroup
13f43b565119f43f7155f96cafa8b05d.exe
C:Windows/System32 loaddll32.exe loaddll32.exe “C:\Users\user\Desktop\init.dll”.
C:Windows / Windows / SysWOW64 / cmd.exe cmd.exe /C rundll32.exe “C:\Users / User / Desktop /init.dll”,#1.
C:Windows/sysWOW64/rundll32.exe rundll32.exe “C:\Users/User/Desktop/init.dll”,#1.
C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_Clockcould@8.
C:\Windows/SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\init.dll,_DllRegisterServer@0
C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\User\Desktop\init.dll,_Representfinish@4.

So, we can conclude that the malware is also abusing the svchost.exe process in WerSvcGroup, which is related to the Windows Error Reporting Service. This is a common practice of malware that uses this process to mask its actions by injecting code into system services. The 13f43b565119f43f7155f96cafa8b05d.exe executable also appears to be part of the payload.

Fauppod Connections

The malware uses both standard addresses and ports as well as non-standard ones. Among the standard ones:

GET watson.microsoft.comhttp://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/StackHash_1abe/0_0_0_0/00000000/c0000005/fd8b3a80.htm?LCID=1040&OS=6.1.7601.2.00010100.1.0.48.17514&SM=LENOVO&SPN=64755N2&BV=7UET92WW%20(3.22%20)&MID=F2EC8DC6-EB4A-4B44-95EF-9B81DC7C287B

Using standard ports that belong to Microsoft allows you to hide your actions. On the other hand, using suspicious addresses and non-standard ports indicates communication with the C2 server. In our case, these addresses are:

97.107.127.161:443
45.33.94.33:5037
159.89.91.92:5037
158.69.118.130:1443

Some of the IP addresses in the list (and quite a few others that I’ve excluded for the sake of readability) correspond to compromised websites. This is a oftenly used tactic: attackers use a hacked website as an intermediary command server, while the request looks legitimate for anyone who tries to find the traces.

Is Trojan:Win32/Fauppod!ml False Detection?

As I have mentioned several times already, Trojan:Win32/Fauppod!ml is a heuristic detection based on machine learning. This means it can sometimes result in false positives. That is, Heuristic methods analyze file patterns, behaviors, and structural elements rather than relying on pre-defined signatures. As a result, legitimate software with uncommon characteristics or behaviors may be flagged as suspicious. In such cases, after some time, the anti-malware software stops flagging the file as a threat.

How to Remove Trojan Fauppod?

If you encounter Trojan:Win32/Fauppod!ml and are unsure whether it’s a false detection or a real threat, an effective solution is to use a third-party anti-malware solution. GridinSoft Anti-Malware would be a great option that can both confirm the threat and disprove it. Use the instructions below to scan your device for threats.

The post Trojan:Win32/Fauppod!ml appeared first on Gridinsoft Blog.

Distribution Methods

Although official app sources such as Google Play and the App Store are considered safe ways to install apps on a device, cybercriminals sometimes use them to spread malware. According to statistics, mobile attacks leveled off after declining in the second half of 2021 and stayed about the same throughout 2022. Nevertheless, fraudsters continue to use Google Play as a means to spread malware. For example, in 2022, Google Play detected several mobile Trojans that covertly signed up victims for paid services.

In addition to the previously known Joker and MobOk families, experts found a new family called Harly. It has been active since 2020, and by 2022 users downloaded Harly malware from Google Play 2.6 million times. In addition, in the past year, scammers distributed fraudulent apps that promised social payments or lucrative energy investments. Another source of malware is in-app ads. Thus, scammers spread a modified WhatsApp build with malicious code inside through advertisements in the Snaptube app and the Vidmate app store.

Some malicious applications masquerade as legitimate utilities. Thus, the Sharkbot banking Trojan downloader is disguised as a fake antivirus. However, this application requests permission to install additional packages and then downloads the files necessary for the Trojan to work on the victim’s device. Fortunately, the intelligence services worked very well to neutralize this threat. That helped Europol to shut down the servers of FluBot (aka Polph or Cabassous), the largest mobile botnet in recent times. However, some downloaders for other families of banking Trojans, such as Sharkbot, Anatsa, Coper, and Xenomorph, could still be found on Google Play.

Another popular vector of mobile malware infection in 2022 is mobile gaming. Attackers distribute malicious and unwanted software under the guise of pirated versions of games or game cheats. These are often Roblox, PUBG, Minecraft, Grand Theft Auto, and FIFA. The primary sources of such malware are unofficial channels, dubious websites, or groups on social networks.

Mobile cyberthreat statistics

According to the statistics, potentially unwanted software such as RiskTool topped the list for 2022. It took 27.39%, displacing adware, which took 24.05%. However, compared to last year, the share of RiskTool and adware decreased by 7.89% and 18.38%, respectively. In third place were other malicious programs, such as Trojans. Their share increased by 6.7 percentage points to 15.56%. As for the geography of mobile threats, the top 10 countries that were attacked by mobile malware are shown below:

Chinese users were most affected by the Najin Trojan virus that abused SMS messages. Users from Syria and Iran were most affected by the modification of WhatsApp that contained the spyware module. Similar to previous years, most cyberattacks in 2022 were done through malware, accounting for 67.78%. Meanwhile, compared to 2021, adware infections increased from 16.92% to 26.91%, and RiskWare infections rose from 2.38% to 5.31%.

The most frequently detected mobile malware

Trojan malware bothered users the most. This type of malware was disguised as a legitimate program. It can send text messages, call specified numbers, show ads, and hide its icon on the device. Also, modifications of WhatsApp with a spyware module were quite common, as well as fake apps for supposedly receiving allowances and apps that sign the user up for paid SMS services.

RiskTool apps

The RiskTool family of apps makes payments by sending text messages without notifying the user. Usually, it is a cash transfer to other people or pay for a mobile subscription. Among RiskTool-type apps detected, SMSreg 36.47%, Dnotua 26.19%, and Robtes 24.41% ranked first.

Mobile adware

The Adlo family accounts for the most detected installers in 2022, accounting for 22.07%. These are primarily useless fake apps that download ads. In second place is the Ewind family at 16.46%. In third place is HiddenAd, which accounts for 15.02%.

Mobile banking Trojans

For the year 2022, experts detected 196,476 mobile banking Trojans installers. It’s the highest figure in the past six years and also 100% more than last year. The Bray Trojan family, which mainly attacked users in Japan, accounted for 66.40% of all detected banking Trojans. In second place is the Trojan.Fakecalls family with 8.27% and Bian Banker with 3.25%. Also, of all mobile banking Trojans active in 2022, one of the Bian sub specimen accounts for the largest share of attacked users, more than half in Spain. Saudi Arabia followed it, and Australia came in third place, with the majority of victims encountering Gustuff Banker.

Mobile Ransomware Trojans

Beginning in 2021 and continuing through 2022, mobile ransomware attacks declined. Trojan.pigetrl/lockscreen was the leader, accounting for 75.10% of all mobile ransomware. In addition, it was one of the top 20 most frequently detected types of mobile malware. In second place was trojan.locker/rkor. It can block the screen and demand that users pay a fine for illegal content they allegedly view. The most users attacked by mobile ransomware Trojans in 2022 were in China, Yemen, and Kazakhstan.

Although the number of attacks decreased in 2021, the number of attacks became stable in 2022. Unfortunately, cybercriminals are working to improve both malware functionality and distribution vectors, and malware is increasingly distributed through legitimate channels. Therefore, users need to be vigilant when installing apps and avoid clicking on ad banners even in legitimate apps, as sometimes the app developer does not know what the ads in their app contain.

The post Mobile Malware Threat Landscape — 2022 Summary appeared first on Gridinsoft Blog.

It is important to mention that computer viruses are not only “viruses”. Nowadays, the term “computer viruses” is used to describe all types of malicious programs. But, in fact, viruses are just the type of malware – same as backdoors, coin miners, spyware or ransomware. You can read more about why that happened in our article.

The worst computer virus – what is it like?

First, let’s figure out what is meant by the term “the worst computer virus”. Different malware deals different kinds of damage, and it is always unwanted. Viruses can damage your networking configurations, system settings, cipher your files or even break your hardware. But the most dangerous ones considerably deal damage to all elements of your system. Some of such malware aims at making money on you, others – just to make your life harder. Let’s see the top-5 list of the worst computer virus – starting from less dangerous.

5th position. Coin miner trojan

This malware uses your hardware to mine cryptocurrencies, exactly, Monero and DarkCoin. What is the risk for your computer? First of all, it creates a significant load on your hardware – almost 70-90% on both CPU and GPU. That can easily lead to overheating, which never causes a positive impact on the lifespan of your hardware. Moreover, the GPU wear ratio is much higher when it is used for cryptomining purposes. The biggest danger is on laptops – their cooling system is not designed to deal with constantly overloaded hardware.

Another side of the problem is that modern coin miner trojans sometimes have a spyware module. It means that your personal data will not be personal anymore – read the next paragraph.

4th place. Spyware.

Spyware is designed to steal all possible personal information from the victims’ PCs. Location, language setups, cookie files, search history, activity hours data – even your PC configuration will be leaked to the crooks. Depending on the type of attack – massive or individual – this information will be sold to third parties or used for further cyber attacks. Spyware is extremely silent – it tries to stay in your system as long as possible to get more personal information about you. Most examples of this malware type are also able to steal your conversations – so don’t be surprised when you’d see some very private information available for everyone.

Spyware stealthiness makes it a tough nut for antivirus programs. Security tools often struggle to detect spyware correctly with a heuristic engine. Even if it detects one, you will probably see the detection of the “generic” type, which sometimes refers to a false detection and is thus ignored.

3. Banking trojans

What can be worse than getting your personal information stolen? Sure, getting your banking information stolen. And we are talking not only about card numbers and CVV code – they are important, but almost useless without the transaction approval. Modern banking trojans aim at your online banking – exactly, on login and password for it. Having them, crooks are free to manage your money.

Sometimes, banking trojans are combined with other malware – embedded into spyware, rogue software or phishing trojans. Since they aim at seriously protected things – online banking login forms – they are made by professionals. And it is a bad idea to ignore their efficiency – otherwise, you will have to ignore zeros on your banking account. Or, possibly, huge credit lines.

2nd place – Wiper virus

This type of malware was always very rare, but its danger can not be underestimated. Wiper malware is one that destroys your disk partitions. That malware is not about making money on you – it is just for revenge or mischief. Having your disk partition broken, you lose access to all your files and also to your operating system. UEFI is just not able to find the boot record of your OS – all data you have on your disks are just a weird mixture of non-structured bytes. Wiper malware is so rare that some of the anti-malware programs do not even have them in their detection databases.

Such a malicious program needs access to your system at the driver level. Hence, it is obvious to wait for the hazard from the program that pretends to be the driver updater, “system optimization tool”, or other deep-configuration stuff. Overall, such tools are considered dangerous because of their questionable functionality. And the chance to get your logical disks ruined complements this danger.

Worst computer virus ever. Ransomware

What is more painful than to get your disk partitions destroyed? Yes, to get your files ciphered. While partitions can be recovered – thanks to the special tools available for LiveCD launch – files attacked by ransomware are impossible to fix. Exactly, there are decryption tools for several ransomware families, but none of them give you a guarantee that you will get your files back. The guaranteed way to decrypt your data is to pay the ransom – $1000 and more.

Ransomware uses military-grade encryption – AES-256, RHA-1024, RHA-2048, or even ECC. Decrypting it with brute force can take more time than our universe exists. The only lucky chance of getting your files back without paying the ransom is to get encrypted with the flaw-by-design ransomware. The only well-known ransomware family that has flaws in its encryption key is HiddenTear – but its most modern variants have these breaches fixed. Another way to get the decryption key is to wait for the ransomware group to shut down. But even this does not give you any guarantees.

Ransomware also deals heavy damage to your system configurations. To prevent the usage of anti-malware software, it blocks access to the websites of the vendors that are listed on the VirusTotal site. Moreover, it also blocks the launching of antivirus software installation files. It means that your HOSTS files, along with Group Policies, suffered significant changes. If you just manage to remove ransomware, ignoring the system recovery, you will probably see your system malfunctioning.

Share this article and don’t forget to say your opinion on the worst computer virus in the comments. We will add the most interesting variants to the text – so describe them well. Good luck!

The post What is the worst computer virus? Figuring out appeared first on Gridinsoft Blog.