• Contact Us
  • Login
Upgrade
Tech News Hero
Advertisement
  • Home
  • News
  • Gadgets
  • Social
  • Gaming
  • Mobile
  • PC
  • Internet
  • Security
  • Apps
No Result
View All Result
  • Home
  • News
  • Gadgets
  • Social
  • Gaming
  • Mobile
  • PC
  • Internet
  • Security
  • Apps
No Result
View All Result
Tech News Hero
No Result
View All Result
Home Security

When one isn’t enough: This shady malware will infect your PC with dual Trojans

by technewshero
November 15, 2019
in Security
0
Share on FacebookShare on Twitter
New variant of trojan malware puts your personal information at risk
NanoCore RAT can steal passwords, payment details, and secretly record audio and video of Windows users.

A new malware variant with a low detection rate able to deliver multiple Trojans to infected systems has been disclosed by researchers. 

This week, the cybersecurity team at Fortinet said a recent sample of the dropper reveals the new malware is designed to drop both RevengeRAT and WSHRAT on vulnerable Windows systems. 

The sample dropper begins the infection process with JavaScript code and URL-encoded information contained in a text editor. Once decoded, the team found VBScript obfuscated with character replacements. 

This VBScript code is then able to call a Shell.Application object that generates a new script file, A6p.vbs, which fetches a payload — an additional VBScript — from an external source. 

The strings in the new code, which are also obfuscated in a likely attempt to avoid detection, pull a script file called Microsoft.vbs from a remote server and saves it in the Windows temporary folder. 

“Once the aforementioned code is executed, it creates a new WScript.Shell object and collects OS environment and hardcoded data, which will eventually end in running the newly created script (GXxdZDvzyH.vbs) by calling the VBScript interpreter with the “//B” parameter,” the researchers say. “This enables “batch-mode” and disables any potential warnings or alerts that can occur during execution.”

A new key is then added to the Windows registry, PowerShell commands are executed to bypass execution policies, and the Revenge RAT payload is deployed. 

See also: DanaBot banking Trojan jumps from Australia to Germany in quest for new targets

Revenge RAT is a Trojan previously connected to campaigns targeting financial establishments, governments, and IT companies. 

Once deployed by the new malware dropper, Revenge RAT connects to two command-and-control (C2) servers and collects system data from the victim before transferring this information to the C2s. 

IP addresses, volume data, machine names, user names, whether or not a webcam has been detected, CPU data, language, and information relating to antivirus products and firewall installations are stolen. 

The Trojan is also able to receive commands from a C2 to load malicious ASM code in memory for additional exploits. 

However, the deployment of one Trojan is not the end of the attack chain. The malware dropper also executes WSH RAT as a payload, using same Microsoft.vbs script — with a few tweaks. 

WSH RAT is often actively distributed in phishing messages masquerading as well-known banks. The Trojan is being sold publicly online on a subscription basis to threat actors. 

CNET: Demonstrators scan public faces in DC to show lack of facial recognition laws

Version 1.6 of WSH RAT is loaded and this malware contains more functionality than its counterpart; including methods to maintain persistence, data theft, and information processing. 

Among 29 functions is the facility to check the current user’s rights, and “depending on which ones are used, it will remain as is or elevate itself (startupElevate()) to a higher user access level,” the researchers say. 

The Trojan will also perform a security check to disable the current security context.

TechRepublic: New phishing email campaign impersonates US postal service to deliver malware

WSH RAT focuses on stealing information harvested from popular browsers including Google Chrome and Mozilla Firefox. However, the malware also contains other features, such as executing files, rebooting the victim machine, uninstalling programs, and keylogging. 

Also of note in the malware space this month is the emergence of Emotet with new functionality. The modular malware, which has proven popular with cybercriminals, now appears to be utilizing stealth tactics once employed by Trickbot.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Previous Post

Surface Pro 7 teardown shows it’s tricky and expensive to fix – just like the Pro 6

Next Post

WhatsApp Dark Theme Launch Said to Be Imminent on iPhone; Gets Redesigned Facebook Logo With Android Update

technewshero

technewshero

Related Posts

2020 Shows the Danger of a Decapitated Cyber Regime
Security

2020 Shows the Danger of a Decapitated Cyber Regime

by technewshero
January 13, 2021
A ‘Bulletproof’ Criminal VPN Was Taken Down in a Global Sting
Security

A ‘Bulletproof’ Criminal VPN Was Taken Down in a Global Sting

by technewshero
January 14, 2021
The Worst Hacks of 2020, a Surreal Pandemic Year
Security

The Worst Hacks of 2020, a Surreal Pandemic Year

by technewshero
January 15, 2021
Security

How Your Digital Trails Wind Up in the Police’s Hands

by technewshero
December 31, 2020
How to Understand the Russia Hack Fallout
Security

How to Understand the Russia Hack Fallout

by technewshero
December 22, 2020
Next Post

WhatsApp Dark Theme Launch Said to Be Imminent on iPhone; Gets Redesigned Facebook Logo With Android Update

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Most Popular

Popular Messaging App ToTok Is An Alleged Emirati Spying Tool: Report

December 24, 2019
Zoom Rival Pexip Launches Lockdown Listing With Video Roadshow

Zoom Rival Pexip Launches Lockdown Listing With Video Roadshow

December 16, 2020

Mobility July 10 in San Jose – TechNewHero

May 28, 2019

Browse by Category

  • Apps
  • Gadgets
  • Gaming
  • Internet
  • Mobile
  • News
  • PC & Laptops
  • Security
  • Social
Tech News Hero

© 2020 Tech News Hero.

No Result
View All Result
  • Home
  • Landing Page
  • Buy JNews
  • Support Forum
  • Contact Us

© 2020 Tech News Hero.

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?