Trojan.JS.MANAGEX.A

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Se conecta a determinados sitios Web para enviar y recibir información.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %AppDataLocal%\Google Chrome\Chromium\User data\Default\Extensions\{Extension Installation Directory}\images\chromium.svg
• %AppDataLocal%\Google Chrome\Chromium\User data\Default\Extensions\{Extension Installation Directory}\images\shadow.png
• %AppDataLocal%\Google Chrome\Chromium\User data\Default\Extensions\{Extension Installation Directory}\background.html
• %AppDataLocal%\Google Chrome\Chromium\User data\Default\Extensions\{Extension Installation Directory}\background.js → contains malicious script
• %AppDataLocal%\Google Chrome\Chromium\User data\Default\Extensions\{Extension Installation Directory}\config.json → contains configuration settings
• %AppDataLocal%\Google Chrome\Chromium\User data\Default\Extensions\{Extension Installation Directory}\manifest.json → contains extension details
• %AppDataLocal%\Google Chrome\Chromium\User data\Default\Extensions\{Extension Installation Directory}\test.js
• %AppDataLocal%\Google Chrome\Chromium\User data\Default\Extensions\{Extension Installation Directory}\tr.js

Robo de información

Recopila los siguientes datos:

• OS Version
• Chrome Details
  • ID
  • Version
  • Language
  • Browser Flavor
• Location
  • Country
  • IP Address
• Date and Time

Otros detalles

Se conecta al sitio Web siguiente para enviar y recibir información:

• http://taw{BLOCKED}.com/update
• http://geo.s{BLOCKED}.com/details
• http://{BLOCKED}.ly/2ry7vC5 → contains privacy policy
• http://cun{BLOCKED}.com
• http://cab{BLOCKED}.com
• https://tr{BLOCKED}.go{BLOCKED}.com/trends/hottrends/hotItems
• d34{BLOCKED}.cloudfront.net

Hace lo siguiente:

• This Chrome extension monitors the browsing activities of a user including all tabs and windows created, whether minimized or maximized, and all the clicks that registered in the Chrome extension widget.
• It is capable of injecting a script (advia.chopsticks.js).
• It sets permission to allow access to the following Chrome APIs:
  • Management
  • Background
  • Storage
  • Cookies
  • Tabs
  • webRequest
  • webRequestBlocking
  • unlimitedStorage
  • contextMenus
  • bookmarks
  • webNavigation
  • history
  • topSites
  • activeTab
  • alarms
  • browsingData
  • clipboardRead
  • clipboardWrite
  • contentSettings
  • debugger
  • declarativeContent
  • desktopCapture
  • downloads
  • gcm
  • geolocation
  • identity
  • idle
  • nativeMessaging
  • notifications
  • pageCapture
  • power
  • printerProvider
  • privacy
  • proxy
  • sessions
  • system.cpu
  • system.display
  • system.memory
  • system.storage
  • tabCapture
  These access permissions are allowed to all sites/URLs visited