It includes, for example, “scardsvr.exe” which is Microsoft’s SmartCard reader. The list of processes is quite exhaustive and does not contain only banking applications. It will also check to see if any of the applications below is running on the machine: ip-client.exe It will also check whether the Windows locale is Russian (1049) and uses “ FindFirst/NextUrlCacheEntry” and registry key “ Software\Microsoft\Internet Explorer\TypedURLs” to know whether URLs matching the following patterns were visited on the computer: *ICPortalSSL It will make several checks on the machine, first looking for malware researcher tools or evidence that the malware is run in a virtual machine, exiting if it finds any. If the user opens the malicious attachments on a vulnerable system, an NSIS-packed trojan downloader will be dropped and executed. This reinforces our assumption that these attackers are likely focusing primarily on businesses. Our telemetry also shows that the tools used by this campaign are not widespread. Most detections we have for these threats are located in Russia. Our telemetry for the malware families linked to this campaign is shown below. They also install a keylogger, a clipboard stealer, a smart card module, and have the capability to download and execute additional malware. The malware allows the criminals to install a backdoor, attempt to obtain the account password, and even create a new account. The tools deployed on the victim’s computer allow them to control it remotely and to record the user’s actions. If we take it into consideration that some of the Command and Control (C
0 Comments
Leave a Reply. |