Trojan Reappears after 9 Years

Wednesday, June 1, 2016 @ 11:06 AM gHale


New versions of the Bayrob Trojan have surfaced – after nine years.

First discovered in the spring of 2007, researchers saw the last big Bayrob campaign later on that fall.

RELATED STORIES
APT Attacker’s Malware of Choice
Hosting Firm Used in Attacks
German Nuke Infected with Malware
Gold Mining Company Hacked

Ever since then, the Trojan disappeared until this past winter and then two weeks ago, when new versions of the attack started reappearing, according to Sarah (Qi) Wu and He Xu, researchers at Fortinet.

Initial descriptions categorized this malware as a Trojan that sets up a proxy server in order to steal sensitive information from compromised computers.

These recent versions didn’t change that much but only added small tweaks here and there, mainly to make reverse engineering harder and to avoid detection on infected targets.

New versions of Bayrob now clone themselves in order to launch multiple processes, each having its own malicious routine, researchers said in a blog post.

Since the Trojan is within other files, to avoid situations where the user double-clicks a file and nothing happens, Bayrob shows an error message telling them the file doesn’t work with their version of Windows and that they need to upgrade. Of course, this is a static message and will show regardless of platform.

When stealing and exfiltrating information, Bayrob also encrypts the data, which prevents researches and security products from detecting its actions.

C&C server communications are also different now, and Bayrob uses a custom protocol over TCP/IP to talk to its server, also encrypted.

Additionally, Bayrob features strong code obfuscation and dead code to avoid detection and deter researchers from taking a closer look.