Additional Insights and Analysis by Bren Matthew Ebriega, Shawn Moreño, and William Gamazo Sanchez
We analyzed samples related to a new Twin Flower campaign, which are detected as PUA.Win32.BoxMini.A, Trojan.JS.TWINFLOWER.A, and TrojanSpy.JS.TWINFLOWER.A. The "Twin flower" campaign (rough translation from Chinese) has been first detected by Jinshan security researchers back in 2018 in a report published in Chinese. The files are believed to be downloaded unknowingly by users when visiting malicious sites or dropped into the system by another malware.
The potentially unwanted application (PUA) PUA.Win32.BoxMini.A files are either a component or the main executable itself of a music downloader that automatically downloads music files without user consent. It drops several files and adds the following processes to the system:
- %System%\cmd.exe /c "%User Temp%\RarSFX0\start.bat"
- %User Temp%\RarSFX0\{malware name}
The application connects to different links to retrieve MP3 file details, download MP3 files, and retrieve related images, and saves them in the user’s My Music folder. It also communicates with other potentially malicious URLs besides the ones used for MP3-related downloading.
The malicious files, Trojan.JS.TWINFLOWER.A and TrojanSpy.JS.TWINFLOWER.A, try to connect to URLs that are related to increasing simulated clicks towards certain video websites. This is done to jack up the sites’ network traffic, thus boosting search engine rankings and advertising revenue from mainstream video sites. Besides these, the malicious files could potentially do more damage since the malware can download code and inject it into systems.
Trojan.JS.TWINFLOWER.A connects to a URL and downloads a file that will then be renamed when stored. It also connects to other URLs and boosts these sites’ page views. It checks for the presence of the following processes, and will not perform its download routine if any of the processes, which are mostly for traffic inspection, analysis, and debugging, are detected running in the affected system:
- chkencap.exe
- dbg.exe
- fiddler.exe
- HipsDaemon
- hookme.exe
- httpanalyze
- networktrafficview.exe
- sniff.exe
- softice.exe
- tcpmon
- windgb.exe
- wireshark.exe
- wsockexpert
TrojanSpy.JS.TWINFLOWER.A steals data as it gathers browser cookie information associated with over 70 URLs, including some popular websites on entertainment, health, technology, research, and other topics. The majority of the websites are in Chinese. After gathering the data, it sends the stolen information to a URL. The malware also connects to URLs and hikes the network traffic for these sites.
Defense Against Malicious Attacks
Malicious sites that offer downloads such as
installers and other files are notorious sources of malware. Although most users know that downloads should be done on official websites, cybercriminals make it trickier to spot fake ones by closely copying the facade of legitimate sites and baiting users with current events such as the
Coronavirus (COVID-19) global outbreak.
Besides maintaining vigilance against malicious campaigns, employing solutions that offer
multilayered security ensures that all bases are protected from threats.
Indicators of Compromise
HIDE
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.