“Twin Flower” Campaign Jacks Up Network Traffic, Downloads Files, Steals Data
Additional Insights and Analysis by Bren Matthew Ebriega, Shawn Moreño, and William Gamazo Sanchez
We analyzed samples related to a new Twin Flower campaign, which are detected as PUA.Win32.BoxMini.A, Trojan.JS.TWINFLOWER.A, and TrojanSpy.JS.TWINFLOWER.A. The "Twin flower" campaign (rough translation from Chinese) has been first detected by Jinshan security researchers back in 2018 in a report published in Chinese. The files are believed to be downloaded unknowingly by users when visiting malicious sites or dropped into the system by another malware.
The potentially unwanted application (PUA) PUA.Win32.BoxMini.A files are either a component or the main executable itself of a music downloader that automatically downloads music files without user consent. It drops several files and adds the following processes to the system:
- %System%\cmd.exe /c "%User Temp%\RarSFX0\start.bat"
- %User Temp%\RarSFX0\{malware name}
Trojan.JS.TWINFLOWER.A connects to a URL and downloads a file that will then be renamed when stored. It also connects to other URLs and boosts these sites’ page views. It checks for the presence of the following processes, and will not perform its download routine if any of the processes, which are mostly for traffic inspection, analysis, and debugging, are detected running in the affected system:
- chkencap.exe
- dbg.exe
- fiddler.exe
- HipsDaemon
- hookme.exe
- httpanalyze
- networktrafficview.exe
- sniff.exe
- softice.exe
- tcpmon
- windgb.exe
- wireshark.exe
- wsockexpert
Defense Against Malicious Attacks
Indicators of Compromise
SHA-256 | Trend Micro Pattern Detection |
076b8a238c17ea3a0259446ff959fffdb9d20d7cda1ffe544e110f15a39ce479 | PUA.Win32.BoxMini.A |
3c4b81990a3be7196a112598247e10d46a4e5abc47dc80ff45f238694ef2cf95 | PUA.Win32.BoxMini.A |
ea73dd57209fd6f744f58af02f09cc416b3341c068aed21540e27f9471860626 | PUA.Win32.BoxMini.A |
83991f45954c0fa063bd946ef3ec298563d24db08616620af9980e3bbeae7b31 | Trojan.JS.TWINFLOWER.A |
01671d8a04b832523b9c7c6feda22179ce197860cd37b9e6cf2ae12cae1bb49b | TrojanSpy.JS.TWINFLOWER.A |
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Recent Posts
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report