“Twin Flower” Campaign Jacks Up Network Traffic, Downloads Files, Steals Data

Additional Insights and Analysis by Bren Matthew Ebriega, Shawn Moreño, and William Gamazo Sanchez

We analyzed samples related to a new Twin Flower campaign, which are detected as PUA.Win32.BoxMini.A, Trojan.JS.TWINFLOWER.A, and TrojanSpy.JS.TWINFLOWER.A. The "Twin flower" campaign (rough translation from Chinese) has been first detected by Jinshan security researchers back in 2018 in a report published in Chinese. The files are believed to be downloaded unknowingly by users when visiting malicious sites or dropped into the system by another malware. 

The potentially unwanted application (PUA) PUA.Win32.BoxMini.A files are either a component or the main executable itself of a music downloader that automatically downloads music files without user consent. It drops several files and adds the following processes to the system:

  • %System%\cmd.exe /c "%User Temp%\RarSFX0\start.bat"
  • %User Temp%\RarSFX0\{malware name}
The application connects to different links to retrieve MP3 file details, download MP3 files, and retrieve related images, and saves them in the user’s My Music folder. It also communicates with other potentially malicious URLs besides the ones used for MP3-related downloading.

The malicious files, Trojan.JS.TWINFLOWER.A and TrojanSpy.JS.TWINFLOWER.A, try to connect to URLs that are related to increasing simulated clicks towards certain video websites. This is done to jack up the sites’ network traffic, thus boosting search engine rankings and advertising revenue from mainstream video sites. Besides these, the malicious files could potentially do more damage since the malware can download code and inject it into systems.

Trojan.JS.TWINFLOWER.A connects to a URL and downloads a file that will then be renamed when stored. It also connects to other URLs and boosts these sites’ page views. It checks for the presence of the following processes, and will not perform its download routine if any of the processes, which are mostly for traffic inspection, analysis, and debugging, are detected running in the affected system:
  • chkencap.exe
  • dbg.exe
  • fiddler.exe
  • HipsDaemon
  • hookme.exe
  • httpanalyze
  • networktrafficview.exe
  • sniff.exe
  • softice.exe
  • tcpmon
  • windgb.exe
  • wireshark.exe
  • wsockexpert
TrojanSpy.JS.TWINFLOWER.A steals data as it gathers browser cookie information associated with over 70 URLs, including some popular websites on entertainment, health, technology, research, and other topics. The majority of the websites are in Chinese. After gathering the data, it sends the stolen information to a URL. The malware also connects to URLs and hikes the network traffic for these sites.

Defense Against Malicious Attacks

Malicious sites that offer downloads such as installers and other files are notorious sources of malware. Although most users know that downloads should be done on official websites, cybercriminals make it trickier to spot fake ones by closely copying the facade of legitimate sites and baiting users with current events such as the Coronavirus (COVID-19) global outbreak

Besides maintaining vigilance against malicious campaigns, employing solutions that offer multilayered security ensures that all bases are protected from threats.

Indicators of Compromise 

SHA-256 Trend Micro Pattern Detection
076b8a238c17ea3a0259446ff959fffdb9d20d7cda1ffe544e110f15a39ce479 PUA.Win32.BoxMini.A
3c4b81990a3be7196a112598247e10d46a4e5abc47dc80ff45f238694ef2cf95 PUA.Win32.BoxMini.A
ea73dd57209fd6f744f58af02f09cc416b3341c068aed21540e27f9471860626 PUA.Win32.BoxMini.A
83991f45954c0fa063bd946ef3ec298563d24db08616620af9980e3bbeae7b31 Trojan.JS.TWINFLOWER.A
01671d8a04b832523b9c7c6feda22179ce197860cd37b9e6cf2ae12cae1bb49b TrojanSpy.JS.TWINFLOWER.A

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.