Trojan Searches for Specific File Types
Tuesday, August 16, 2016 @ 04:08 PM gHale
There is a new Trojan that will search for eleven file types and upload them to a C&C server, researchers said.
The files this infostealer targets are specific to enterprise environments, being mostly extensions associated with Microsoft Office applications.
Based on a sample of the Trojan, attackers are distributing this threat as a file named Aug_1st_java.exe, which currently has a very low detection rate on VirusTotal, 34/55.
The distribution method is currently unknown. As is the case with almost all malware programs today, when users install this Trojan, it will modify the Windows Registry to gain the ability to start automatically after the user reboots their computer.
Current versions of this unnamed infostealer Trojan disguise themselves as the process of the Google Chrome browser.
Right after it installs, the Trojan will collect data about the current computer and direct it to its C&C server, to which it sends communications via the MSMQ (Windows Message Queuing) protocol.
The data it gathers includes the computer’s name, the username, the version of Windows, the service pack version, and a list of currently installed applications.
Lawrence Abrams, malware analyst for Bleeping Computer, caught the Trojan communicating with its sever located at web4solution.net.
When he contacted the company in charge of the domain, it came to light their site had been compromised and loading a hidden iframe that relayed traffic to the real C&C server.
The company cleaned their site, but the C&C server remained active and will continue to work, presumably with another redirect through another hacked website.
After the Trojan reports to the C&C server, it will start scanning the infected computer for eleven file types: INP, SQL, PDF, RTF, TXT, XLSX, XLS, PPTX, PPT, DOCX, and DOC.
Most of them are Office-specific extensions, but others, like INP (Abaqus/CAE, used in engineering), SQL (extension used by database software), and PDF (Adobe Reader extension, document file), are for proprietary software usually found in enterprise networks.
The Trojan will upload all the files with these extensions to its C&C server and then write a log at C:Users[username]uninst.dll.
“Corporate cybercrime and information theft has become a very lucrative business for malware developers,” Abrams said. “Not only does it allow them to steal corporate secrets to sell to the highest bidder, but it can also provide them with undisclosed financial reports that that can be used on the stock market.”