Threat Analysis Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/threat-analysis/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 04 Apr 2024 00:06:03 +0000 en-US hourly 1 https://wordpress.org/?v=64044 200474804 Hellminer.exe Coin Miner https://gridinsoft.com/blogs/hellminer-exe-malware-analysis/ https://gridinsoft.com/blogs/hellminer-exe-malware-analysis/#respond Fri, 22 Mar 2024 15:51:29 +0000 https://gridinsoft.com/blogs/?p=20683 Hellminer.exe is a process you can see in the Task Manager that indicates a malicious software activity. It stands out by the high CPU load it creates, making the system much less responsive. Let’s figure out what this process is, and how to get rid of it. Hellminer malware has a potential to attack a… Continue reading Hellminer.exe Coin Miner

The post Hellminer.exe Coin Miner appeared first on Gridinsoft Blog.

]]>
Hellminer.exe is a process you can see in the Task Manager that indicates a malicious software activity. It stands out by the high CPU load it creates, making the system much less responsive. Let’s figure out what this process is, and how to get rid of it.

Hellminer malware has a potential to attack a wide range of devices, from IoT to server clusters. The final target of its activity is bringing profit to its masters with the use of your hardware. Ignoring the activity of this malicious program may lead to premature hardware failure and overall performance deterioration.

Modern malware samples often come in packs, meaning that one thing may signify the presence of several others. Do not hesitate with removal: scan your device with GridinSoft Anti-Malware and remove all the threats in one click. 👉🏼 Get your system cleaned up.

What is the Hellminer.exe process?

This is a process associated with a malicious coin miner. Such malware aims at exploiting the system’s hardware to mine cryptocurrencies, mainly DarkCoin and Monero. To maximize profits, hackers who stand behind this malware establish huge networks of infected computers. Hellminer takes up to 80% of CPU power in order to get substantial mining performance, making the system sluggish and uncomfortable to use.

Hellminer process Task Manager
Hellminer.exe process in Task Manager

Malicious miners like this one typically get into the user systems through malvertising on the Web, or with the use of dropper malware. Both spreading ways though are commonly used by other malware, which means the risk that Hellminer is not the only infection running in the system.

This malware appears to be different from other miners, as it is not based on XMRig, a popular open-source mining software. Instead, it appears to be written in Python, and is likely a private development. Let’s check out other interesting stuff I’ve found during the analysis.

Hellminer Malware Analysis

It is not completely clear how Hellminer gets into the system; I suspect it is not much different from how malware miners typically spread – via dropper malware and malvertising. After the launch, the malware begins with a selection of anti-VM and anti-debug checks.

Hellminer Execution chain

Using the calls to WMI, it gets the info about the CPU, trying to find any signs of virtualization. Why I don’t think it is just an immediate info gathering is because the very next step is listing the services and processes. Hellminer specifically seeks for traces of the VMWare virtualization environment. After these checks, the main payload is unfolded. Though, malware may as well use the info collected at this stage, to configure the mining process or as a part of the system fingerprint.

wmic cpu get Name,CurrentClockSpeed,L2CacheSize,L3CacheSize,Description,Caption,Manufacturer /format:list

Fingerprinting starts with another call to WMIC, wmic os get Version. Malware attempts to receive quite a basic, if not scarce, set of data – just the info about the operating system. After that, malware gains persistence through the manipulation with another command and series of changes in Windows registry.

%windir%\System32\svchost.exe -k WerSvcGroup – starting Windows error reporting service to make it run the malware. This increases the level of privileges the malicious program has, also providing it with a disguise.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security – changing network security policies.

The final round of persistence involves another call to WMI, specifically to its Adaptation Service. Hellminer forces it to recursively launch the payload, ensuring continuous execution. This specific command is also a part of resource allocation for the mining process.

wmiadap.exe /F /T /R

Command Server Connectivity

Same as other malware miners, Hellminer does not have any extensive C2 communication. After finishing the steps from the above, it sends the blob of system information to the command server, effectively notifying it about the readiness. C2 returns the configuration file, which specifies the mining pool and the IP address to connect to.

Still, there is a thing that catches an eye – the form of command servers used by this malware. They do not look like C2 of a classic model, instead being a peer-to-peer one. In such a network, the role of a command server is given to one of the infected computers. “Real” server sporadically communicates with one, retrieving the information about the new devices and assigning the next system to get the C2 role. This drastically increases the sustainability of the network, making it particularly hard to disrupt through the command server disruption.

During the analysis, I’ve detected these command servers:

  • 20.99.184.37:443
  • 20.99.186.246:443
  • 23.216.147.64:443
  • 192.229.211.108:80
  • 20.99.133.109:443

Hellminer.exe Removal Guide

Removing Hellminer malware requires anti-malware software scanning. Such threats typically duplicate itselves to numerous folders across the system, with each acting as a backup. GridinSoft Anti-Malware is what would remove the malicious miner and all its copies in the matter of minutes. Launch a Full Scan, and let it finish – this will make sure your system is as good as new.

Hellminer.exe Coin Miner

Miner malware activity always correlates with cryptocurrency prices. At the moment, they are on the rise, meaning that more and more frauds will opt for this malware. The typical ways of spreading for malicious miners is malvertising, particularly ones in search engines. Avoiding it requires user attention: they typically mimic legitimate sites that spread freeware, but always have a different, mangled URL.

The post Hellminer.exe Coin Miner appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hellminer-exe-malware-analysis/feed/ 0 20683
WingsOfGod.dll – WogRAT Malware Analysis & Removal https://gridinsoft.com/blogs/wograt-wingsofgod-analysis-removal/ https://gridinsoft.com/blogs/wograt-wingsofgod-analysis-removal/#respond Fri, 08 Mar 2024 17:17:12 +0000 https://gridinsoft.com/blogs/?p=20264 WogRAT, also known as WingsOfGod RAT, is a novice remote access trojan that attacks users from Asian countries. Named after its own file – Wingsofgod.dll, this malware attacks people since late 2022, spreading through the online notepad service. What is WogRAT (WingsOfGod.dll)? WogRAT is a classic example of a remote access trojan, a backdoor-like malicious… Continue reading WingsOfGod.dll – WogRAT Malware Analysis & Removal

The post WingsOfGod.dll – WogRAT Malware Analysis & Removal appeared first on Gridinsoft Blog.

]]>
WogRAT, also known as WingsOfGod RAT, is a novice remote access trojan that attacks users from Asian countries. Named after its own file – Wingsofgod.dll, this malware attacks people since late 2022, spreading through the online notepad service.

What is WogRAT (WingsOfGod.dll)?

WogRAT is a classic example of a remote access trojan, a backdoor-like malicious program that focuses on providing remote access to the infected system. ASEC researchers were first to detect and track the malware campaign. They additionally emphasize that this malicious program primarily targets Asian countries – China, Japan, Singapore and Hong Kong in the first place.

The strange thing about WogRAT is that its spreading campaigns were not detected, even though some of the methods were explained in the original research. Malware (more specifically – its loader) is disguised as a file posted on an online notepad service. Its naming supposes that frauds offer WogRAT as a system/program tweaking utility of some sort. This, in turn, supposes that initial spreading of the malware happens in “closed” places, like chats in messengers or the like.

Encoded strings aNotepad
Encoded strings stored in aNotepad

Names for malware loader files that are available from aNotepad:

BrowserFixup.exe, ChromeFixup.exe, WindowsApp.exe, WindowsTool.exe, HttpDownload.exe, ToolKit.exe, flashsetup_LL3gjJ7.exe

WogRAT Malware Technical Analysis

As I said, the original downloading from the aNotepad site gets only the malware loader in the encoded form. Upon execution, it compiles itself on the run and requests the actual payload from a different page hosted on the same site. Depending on the attack, the source for the second-stage payload may differ.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 /OUT:C:\Users\\AppData\Local\Temp\RESF175.tmp c:\Users\\AppData\Local\Temp\2jahfobn\CSC51D40ACB8B5440B2A46FD286719924C.TMP – the command used by the loader to compile itself

The downloaded file is a similar .NET assembly, encoded with Base64 and present as a text string on the source website. Loader decrypts the payload and loads it into the memory using process hollowing technique.

C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 2068

Upon startup, WogRAT collects basic system information by checking different registry keys and executing commands. In particular, it gathers info about network connections, system version, username and some of the info regarding system policies. Malware stacks this data with the info of its own process and sends it to the command server in the HTTP POST request. After that, malware switches to idle, waiting for the commands.

act=on&bid=4844-1708721090438&name=System1\User1

WogRAT has a rather interesting set of commands and properties that it is expecting to receive. The simplified formula consists of 3 elements, and looks like this:

Element Value and purpose
task_id=%id% text value, corresponds to the task
task_type=%type% numeric value, corresponds to the action
task_data=%data% Path to the file that the task should be applied to (URL for downloads)

The resulting command is like the following:

task_id=upldr&task_type=3&task_data=C:\\Windows\System32\drivers\etc\hosts

This malware supports 5 different types of operations: running specific files, downloading or uploading the files, altering the idle time, and terminating the execution. Not a huge list at the first glance, but in combination with different task types this gives a full-fledged backdoor functionality.

How to remove WogRAT?

WogRAT is not the stealthiest malware out there; it is in fact more reliant on the tricky spreading method and double-staged loader. Still, the amount of hooks it creates in the system makes it particularly hard to remove manually. For that reason, I recommend using GridinSoft Anti-Malware: a full scan with that program will be enough to repel the RAT and all of its parts across the system.

WingsOfGod.dll – WogRAT Malware Analysis & Removal

The post WingsOfGod.dll – WogRAT Malware Analysis & Removal appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/wograt-wingsofgod-analysis-removal/feed/ 0 20264
PUABundler:Win32/CandyOpen Analysis & Removal Guide https://gridinsoft.com/blogs/puabundler-win32-candyopen/ https://gridinsoft.com/blogs/puabundler-win32-candyopen/#respond Thu, 11 Jan 2024 11:39:58 +0000 https://gridinsoft.com/blogs/?p=18938 PUABundler:Win32/CandyOpen is an unwanted program that acts as a browser hijacker and can download junk apps to your system. Specifically, it points at a thing known as OpenCandy adware, that is known for its indecent behavior. Let’s break it down and see what the PUABundler/Candyopen on a real-world example. What is PUABundler:Win32/CandyOpen? As I’ve said… Continue reading PUABundler:Win32/CandyOpen Analysis & Removal Guide

The post PUABundler:Win32/CandyOpen Analysis & Removal Guide appeared first on Gridinsoft Blog.

]]>
PUABundler:Win32/CandyOpen is an unwanted program that acts as a browser hijacker and can download junk apps to your system. Specifically, it points at a thing known as OpenCandy adware, that is known for its indecent behavior. Let’s break it down and see what the PUABundler/Candyopen on a real-world example.

What is PUABundler:Win32/CandyOpen?

As I’ve said in the introduction, CandyOpen is a detection name for a specific program that spreads bundles with unwanted programs. It was developed back in the late 2000s as a way to monetize free applications by adding some advertised content along with the main installation. But as the overall functionality of the app allowed for more extensive and intrusive changes, foul actors began misusing it.

The way this misuse was happening made the major cybersecurity vendors consider OpenCandy a malicious program. It is capable of changing browser settings by itself, and the additional programs it usually installs can inject unwanted ads into pages, modify the web browser even more, and do similar dirty things. So having one to run in your system means a browser full of ads, pop-up advertisements flooding both system and browser, and unwanted programs getting installed. Not to mention potential data stealing, that the Win32/CandyOpen is capable of – read on to see the details.

To sum up, a PUABundler:Win32/CandyOpen detection means a malware that delivers unwanted programs and is capable of messing up your system on its own. But to have a more detailed look and a better understanding of this thing, let’s analyze it by running on a virtual machine.

CandyOpen Malware Analysis

Finding the appropriate CandyOpen sample was rather easy. To be clear, it does not behave like a straightforward malware on the surface. You can find it in the list of installed apps; there is even an option to disable additional installations in the menu. But the actions it does to the system once it is launched are quite unambiguous.

PUABundler:Win32/CandyOpen list of programs
“Installer” – unremarkable naming for a remarkable unwanted program

As you allow the thing to run under admin privileges, all further actions it does are done without your confirmation. You will speechlessly spectate various shortcuts to appear on your desktop, and your browser going mad with pop-ups and redirects. As soon as CandyOpen runs in the system, it starts with changing the browser properties, particularly search engine and start page. Then, it requests the list of unwanted programs to install from the command server, and proceeds with the installation.

Unwanted programs CandyOpen
Unwanted apps installed by CandyOpen

Here goes the main concern: while CandyOpen usually installs junk apps which are not outright malicious, nothing stops it from installing malware. Still, the sheer volume of troubles it already brings to your system is enough to say that this should not run in your system.

List of PUABundler:Win32/CandyOpen actions:

  • Stops Windows Update
  • Disables User Access Control (UAC)
  • Injects into other processes on your system
  • Adds a local proxy
  • Modifies boot configuration data
  • Modifies file associations
  • Track, keep records, and report an infected user’s internet browsing activity.
  • Modifies your system DNS settings
  • Change the infected user’s browser homepage and tamper with their preferences/settings.
  • Install and insert unwanted/unknown browser toolbars and browser plug-ins/extensions/add-ons.
  • Adds files that run at startup
  • Change the default search provider.
  • Display of unwanted advertisements.
  • Change the desktop background.

That is the comprehensive collection of CandyOpen actions, things done by the majority of widespread samples. The particular sample you may find can have only a part of these functions or even go beyond it. Con actors who use it for monetization can alter the CandyOpen in many ways, so it better fits their purposes.

How to remove PUABundler:Win32/CandyOpen?

Removing Win32/CandyOpen is possible manually, but I’d recommend you to use anti-malware software. This will speed up the process and make it much easier for you. Also, manual removal makes it nearly impossible to find and remove unwanted or malicious programs present in the system.

GridinSoft Anti-Malware is a program that will remove PUABundler:Win32/CandyOpen in no sweat. It will also find and remove all the additional junk CandyOpen can bring. And overall, this program is a solid addition to your system’s security.

PUABundler:Win32/CandyOpen Analysis & Removal Guide

The post PUABundler:Win32/CandyOpen Analysis & Removal Guide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/puabundler-win32-candyopen/feed/ 0 18938
PUABundler:Win32/PiriformBundler https://gridinsoft.com/blogs/puabundler-win32-piriformbundler/ https://gridinsoft.com/blogs/puabundler-win32-piriformbundler/#respond Fri, 29 Dec 2023 12:31:16 +0000 https://gridinsoft.com/blogs/?p=18610 PUABundler:Win32/PiriformBundler is the detection of an unwanted program, developed and issued by Piriform Software. While applications from this developer aren’t inherently malicious, the bundled software they carry and their questionable behavior make them less than desirable. What is PUABundler:Win32/PiriformBundler? PiriformBundler is a detection name for unwanted software developed by Piriform. Microsoft assigns such names to… Continue reading PUABundler:Win32/PiriformBundler

The post PUABundler:Win32/PiriformBundler appeared first on Gridinsoft Blog.

]]>
PUABundler:Win32/PiriformBundler is the detection of an unwanted program, developed and issued by Piriform Software. While applications from this developer aren’t inherently malicious, the bundled software they carry and their questionable behavior make them less than desirable.

What is PUABundler:Win32/PiriformBundler?

PiriformBundler is a detection name for unwanted software developed by Piriform. Microsoft assigns such names to denote a group of malware or unwanted software with common traits. Other malware with similar naming conventions may share functionality or code solutions, while those labeled PiriformBundler share the same developer.

But why are they unwanted? Major cybersecurity vendors, along with Microsoft, classify software bundles as unwanted. Piriform used to monetize their free versions by adding other software to installations, meeting the criteria of bundled software.

Aside from that, Piriform software is not particularly effective. While it performs positive actions in the system, its overall effectiveness often falls short, bordering on a placebo effect.

Threat Summary

Threat Name PUABundler:Win32/PiriformBundler
Threat Type Unwanted Program
Effects Piriform program appears on your PC, possibly together with other unknown programs
Danger Unwanted program installation, low efficiency of the actual software
Mitigation Removal with GridinSoft Anti-Malware or just manual removal

To have a more clear understanding of what the PUA:Win32/PiriformBundler is, let’s analyze one of the apps detected as PiriformBundler and see what exactly makes it so unpleasant.

PUABundler:Win32/PiriformBundler Analysis

Finding a sample for this analysis is straightforward – any program from the Piriform website will suffice. I chose Defraggler for this analysis, a disk defragmentation utility available in both free and paid versions.

Despite its appearance as a defragmentation tool, the program’s effectiveness is questionable. After two consecutive defrags, it reported about 9% defragmentation, revealing an objective lack of effectiveness.

PUABundler:Win32/PiriformBundler interface

Subsequent analysis demonstrates that the program, while identifying fragmented files, takes no action to address them. This lack of effectiveness raises concerns about its overall utility.

Is PiriformBundler Dangerous?

As indicated by the analysis, it is not as dangerous as malware. While not inherently harmful, Piriform software’s lack of effectiveness makes it less desirable. If you encounter it without consent, running a scan with GridinSoft Anti-Malware is recommended.

It is most likely safe to have such programs on your PC. But if you never installed them, or suspect that it appeared without your consent, then run a scan with GridinSoft Anti-Malware. This program will uncover malicious programs that may potentially be present in the system.

How to protect against PiriformBundler and unwanted programs?

It is not that easy to understand whether the program is legitimate or not. The notification from Microsoft Defender is mostly informational – as you can see, even being marked as PUA does not mean the program is dangerous to use. Though, some of such apps may be rather dangerous to run, due to their malignant nature or just poor design.

By using only reliable and well-reviewed sources, you can weed out the majority of unwanted programs. Forum advice, advertisement on a shady website – such places are not ideal for finding benign and effective software. When you expect it to solve your problems – well, take your time and see user testimonials. The Internet remembers everything, so it will not be possible to hide the truth if you’re persistent enough.

Have reliable anti-malware software running in the system. This will not only protect your system from malware intrusion but also help you understand whether the detected unwanted program is dangerous or not. Using GridinSoft Anti-Malware, you will also be protected from the newest threats and online fraud, thanks to its advanced scanning capabilities.

PUABundler:Win32/PiriformBundler

The post PUABundler:Win32/PiriformBundler appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/puabundler-win32-piriformbundler/feed/ 0 18610
Trojan:Script/Wacatac.B!ml https://gridinsoft.com/blogs/trojanwin32-wacatac/ https://gridinsoft.com/blogs/trojanwin32-wacatac/#respond Thu, 21 Dec 2023 13:54:09 +0000 https://gridinsoft.com/blogs/?p=18405 Trojan Wacatac is an umbrella detection for a wide range of malicious software, that shares functionality and code. In particular, the Wacatac name points to malware with dropper capabilities that are used to deliver ransomware. Trojan Wacatac Detection Trojan:Script/Wacatac.B!ml and Trojan:Win32/Wacatac.B!ml detection is one of the numerous detection names that Microsoft assigns to minor malware… Continue reading Trojan:Script/Wacatac.B!ml

The post Trojan:Script/Wacatac.B!ml appeared first on Gridinsoft Blog.

]]>
Trojan Wacatac is an umbrella detection for a wide range of malicious software, that shares functionality and code. In particular, the Wacatac name points to malware with dropper capabilities that are used to deliver ransomware.

Trojan Wacatac Detection

Trojan:Script/Wacatac.B!ml and Trojan:Win32/Wacatac.B!ml detection is one of the numerous detection names that Microsoft assigns to minor malware families. A lot of similar-yet-different malicious software received this name because of the use of the same code solutions and similar functionality. Microsoft’s name often becomes a common noun for all similar malware.

When it comes to functionality, Wacatac is mostly spyware or stealer malware. Some of the sub-specimens may be distinctive for using Discord, Telegram, or Mastodon as data exfiltration channels. To have a more clear understanding of what the malware under the Wacatac name looks like, let’s analyze a sample of malware detected as Wacatac.

Trojan:Script/Wacatac.B!ml Overview

For the analysis of a real-world Wacatac trojan example, I’ve opted for a Trap Stealer. Microsoft detects it as Trojan:Script/Wacatac.B!ml (see more info on VirusTotal). The Python-based malware sample is pretty unique – it is an open-source stealer with the source code listed on GitHub. Its builder features extensive functionality, particularly offers to create a disguise out of the box. But let’s have a more precise look.

On the GitHub repository that contains the source code of the malware, its devs show most of the functionality. It corresponds to the abilities of a classic stealer: malware gathers info from WhatsApp, steals cookies, and contents of the clipboard and AutoFill, scrapes passwords, and can capture screenshots. On top of that, Trap Stealers boast of the ability to mischief the host system.

Wacatac functionality
Extensive list of functions that malware boasts of

Detection Evasion Methods

I’d pay additional attention to how this malware disguises itself. As I said, the builder offers not only to specify a Discord webhook as a relay server, but also to establish a “shell” that will make the user launch the malware deliberately. Currently, there are two options for this shell – a fake Discord webhook creation tool and a pseudo-Discord Nitro generator. Malware masters may choose one during the building, or choose none at all.

Though, these methods are called to evade user suspicion. Against anti-malware software, especially malware analysis environments, malware has several dedicated tricks up its sleeve.

Upon execution, this malware performs a row of checks that ensure that the system is not running a debug environment, resides away from the banned countries, and is not a virtual machine. If one of the checks returns an unacceptable result, any further execution will be terminated.

Checks Purpose
check_dll Scans the list of running DLLs, searching for ones related to virtualization software
check_IP Compares the system IP to the embedded blacklist of countries
check_registry Scans the Windows registry for specific entries related to VMWare programs
check_windows Enumerates open windows and checks whether any of them are related to reverse engineering/debugging tools.

Establishing Persistence

Once all the aforementioned checks are done, Wacatac makes itself persistent to the attacked environment. It creates its randomly-named copy in a random directory in the AppData or LocalAppData folder of a user directory. Then, the malware adds a corresponding value to the Run entry of the system registry. This ensures the malware startup with the system.

These steps may be accompanied by more, if additional actions were specified in the process of sample building. For instance, malware can hook up to the Discord startup, or establish persistence using the user startup folder instead of the registry key.

Data Gathering

The malware proceeds to its normal activity after establishing persistence. The first thing to do is to collect all the data about the system – it gathers quite a big list of it. Interestingly enough, the malware sends the log with this info to the command server almost instantly. This contrasts with the typical fashion of doing things, when the stealer will get everything it can reach and only then send it to the C2.

System Info Malware Instance Info Software & Hardware Info
Username Node Name OS Name
IP Address Release System Activation Key
Country Version PC Name
Postal code Machine CPU Model
Region Home Directory GPU Model
City Installed Antivirus
Longitude/Latitude

This extensive list of system data is then accompanied by collected passwords and cookies. For stealing passwords, malware particularly aims at web browser files. There, it seeks specific files that programs use to keep the info. Aside from files that can contain credentials, Wacatac also collects all the cookies it can find. All the stuff is then kept in the specific files in the AppData\Local\Temp directory, under specific names that start with the “wp” particle.

This Wacatac instance particularly goes for browsing history. Since the way it is handled is more or less unified for most of the browsers, malware targets quite a few of them. Here is the list:

  • Safari
  • Firefox
  • Chrome
  • Opera
  • Edge
  • Opera GX
  • Internet Explorer

Stealing Discord Tokens

The Wacatac sample we are reviewing pays significant attention to Discord, though it is not unique for stealers. Moreover, the method it uses to extract the session tokens is more or less the same for all malware samples. Let’s dive into it.

To get Discord tokens from web browsers, malware seeks for leveldb files (.ldb). It is a database file specific to Chromium-based browsers, that stores auth tokens, keys, and things the like. As there are quite a few popular browsers that derive from Chromium core, malware tries to target them all.

LevelDB files Chrome
LevelDB files, stored in the Chrome folder

For the sake of clarity, it is worth noting that non-Chromium browsers are not invulnerable to such manipulations. By using database calls, malware can easily extract the info it needs, or even everything all at once. The fact that a browser keeps the data differently means just the need for a couple more lines in malware code.

Aside from crawling through the browser files, the malware also tries to grab the same Discord session tokens from the app’s directory. As there are a few different clients out there, the malware tries targeting them all by scanning for corresponding folders in the AppData\Roaming directory.

Stealing Data of Crypto Wallets & Gaming Apps

Another typical edge of interest for Win32/Wacatac is crypto wallets as extensions, desktop apps, and gaming applications. It particularly aims for Metamask, Atomic, Exodus, and NationsGlory crypto wallets. However, stealing other wallets is just a question of a proper configuration, so they may appear in the future. All the collected data is compressed into a .zip folder and sent to the C2.

For gaming apps, malware particularly aims at Steam and Riot Client. Malware seeks for their folders in AppData\Local and then creates a zipped copy of their directories.

Exfiltration & C&C Connections

Once Wacatac finishes the extraction, it will keep idling, waiting for new data to steal. Upon every startup, it will go through all the scans I’ve mentioned above, trying to find new stuff to steal. However, a malware master can order it to self-destruct when it finishes the data collection, or even enforce the system crash at this moment. This all is needed to hide the traces of malware activity.

Extracted info Wacatac
Data that has been sent to the Discord webhook by the malware

Protecting Against Trojan:Win32/Wacatac

Stealer malware, such as Wacatac, is often easily detectable by well-designed antivirus programs. An antivirus program equipped with heuristic detection systems and AI assistance can readily identify and remove this threat. GridinSoft Anti-Malware, in particular, is a reliable choice for this task. It can remove the malware and ensure your PC remains safeguarded for an extended period.

Simultaneously, due to the reasons I mentioned earlier, this virus heavily depends on user errors. Non-existent items like Discord Nitro key generators prey exclusively on users’ belief that it is possible. More legitimate tools, such as network engineering utilities, should be thoroughly checked before use. Even seemingly legitimate emails may contain malicious links or files in email spam. By addressing these weak spots, the likelihood of malware infection can be significantly reduced.

Trojan:Script/Wacatac.B!ml

The post Trojan:Script/Wacatac.B!ml appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojanwin32-wacatac/feed/ 0 18405