Trojan:Win32/Vigorf.A

Trojan:Win32/Vigorf.A Malware Description
Trojan:Win32/Vigorf.A is able to infiltrate the computer system, install additional malware and remain undetected by antivirus programs.

Trojan:Win32/Vigorf.A is a generic detection of Microsoft Defender. This detection commonly identifies a running loader malware that may deal significant harm to the system. In this article, let’s find out how dangerous Vigorf.A is and how to get rid of it.

What is Trojan:Win32/Vigorf.A?

Trojan:Win32/Vigorf.A is the detection name that Microsoft Defender attributes to dropper/loader malware. This generic detection name refers to a whole range of malicious programs, rather than one specific family. The goal of Vigorf.A is unauthorizing system access, and further malware distribution. As my detailed analysis has shown, Trojan:Win32/Vigorf.A uses various methods to bypass antivirus programs and operating system protection.

Trojan:Win32/Vigorf.A detection

Usually, this malware downloads or installs other malicious programs on the computer. It drops its files and modifies system settings and other configuration files to gain persistence. Additionally, it connects to remote servers to send collected information and download additional malicious programs.

Is Trojan:Win32/Vigorf.A False Positive?

False positives with the Vigorf.A name is not a common occurrence. There are only a few cases discussed online, and all of them are related to the software that borders on malicious.

False positives
User complaints about false positive detection

The most common case here is game modifiers or patches. Such tools modify game memory or files to unlock features and can be misidentified as Trojan:Win32/Vigorf.A because of their ability to intrude into other programs’ memory. Similar tools and scripts used by software developers can be misidentified as malicious. While being potentially safe and legitimate, it is important to treat such software with care.

Vigorf.A Trojan Analysis

Studying the behavior of Trojan:Win32/Vigorf.A sample on an infected system showed me how elaborate these threats can be. Not only does the Trojan collect personal user data, but it also modifies system settings, creating additional vulnerabilities and opening the door for other malware.

Methods of Distribution

Trojan:Win32/Vigorf.A is often spread via spam e-mail campaigns containing malicious attachments or links. Once the user opens the attachment or clicks on the link, the Trojan is installed on their computer, either directly or through the loading script. Despite being used for malware spreading for years now, email spam remains a particularly potent and effective spreading option.

Email spamming example

Malvertising is another tricky method that has been used to spread Trojan:Win32/Vigorf.A as far as my research goes. This malware exploits ad networks to display malicious ads in search engine results. Such ads redirect users to malicious duplicates of familiar sites or directly download malware onto their devices.

Fake LibreOffice ad that tries to mimic the original site’s URL

In addition, Vigorf.A is often hidden in packages containing illegal or pirated software. When I download and install such programs, the trojan is also installed on my computer. Often such software is offering for free, which makes it attractive, but it ends up costing more because of the damage the trojan causes.

Launch, Gaining Persistence and Data Collection

After launching in the system, Trojan:Win32/Vigorf.A adds itself to autorun by taking advantage of the Startup folder. This allows it to start automatically every time the system starts. In my case, I found a strange shortcut adxjcv4.lnk, which turned out to be associated with the trojan.

APPDATA%\microsoft\windows\start menu\programs\startup\_adxjcv4_.lnk

Alternatively, Vigorf.A may use the DLL hijacking technique. This happens particularly often when malware arrives with the loader, which unpacks the sample and handles the launch. The way to run the malware is nothing unusual – a PowerShell command that runs the malware DLL through the call to rundll32.exe.

rundll32.exe %windir%\system32\advpack.dll

After the launch, malware checks the system location by its IP address and switches to collecting the system data. This gives Vigorf.A the ability to distinguish that particular system from others. This can as well be used for more targeted attacks or to get a rather exhausting set of victims’ system info to analyze. Malware particularly checks the values of the following keys to get info about programs present on the PC:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} and \=\Count

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} and \=\Count

By checking the next keys, Trojan:Win32/Vigorf.A learns about the devices and networks to which the computer connects and can identify the most vulnerable points for further attacks. This information helps malware masters to deploy malware in a more relevant manner, and get extra profit from systems related to a network.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache and \=\Intranet

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect

C2 Communications and Malware Delivery

After collecting all this data, Vigorf encrypts and sends it to the command server using HTTP POST request. The list of command servers was predefined for the samples I’ve worked with, but this may differ in other cases. Server, in turn, responds with a blob of data that instructs malware for further actions. Obviously for dropper malware, payload delivery is one of the most probable instructions it can get.

To instruct the dropper for malware delivery, C2 sends the URLs Vigorf should connect and download it from. It sends HTTP GET commands to the following URLs:

http[:]//185.117.75.198/fiscal/1
http[:]//194.163.43.166/08/st/m.zip

Files downloaded from these addresses were disguised as ordinary documents or incomplete files, making them difficult to detect and analyze. Once Vigorf finishes downloading the malware, it uses system utilities such as wuapp.exe to launch it.

"C:\Windows\System32\wuapp.exe" -c "C:\ProgramData\sHrhJDaCBu\cfg"

How to Remove Trojan:Win32/Vigorf.A?

To remove Trojan:Win32/Vigorf.A, I recommend using GridinSoft Anti-Malware. It will detect and remove Vigorf.A, as well as find other malicious programs downloaded by it. This Anti-Malware can also work with Windows Defender to create an additional line of defense.

Trojan:Win32/Vigorf.A

It is important to run a Full Scan and remove all detected threats. I would also recommend keeping the system and all programs updated to the latest versions to eliminate vulnerabilities that malware can exploit.

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *