This campaign modules are as follows:
- Module 1, which is responsible for communication with the command and control server. It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.
- Module 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background, it will execute this module to perform a full cleanup of the system, removing the persistence service as well as any files created previously on the system.
- Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
- Module 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as well as from browsers.
- Module 5 – The USB infector. This copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
- Module 6 – The service watchdog. This service is responsible for making sure that the malware is running properly.
The campaign remains active. It is designed to be deployed in any part of the world, and attack any targets according to the interests of the threat actor behind it.
Reference hashes:
4f49a01e02e8c47d84480f6fb92700aa091133c894821fff83c7502c7af136d9
dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47
