Doctor Web examines password-stealing Trojan

Discussion in 'Dr Web' started by omidomi, Apr 26, 2017.

  1. omidomi

    omidomi Level 61
    Trusted AV Tester

    Apr 5, 2014
    5,219
    34,106
    Fallout New Vegas :D
    Windows 8.1
    Kaspersky
    Official Website:
    https://news.drweb.com/show/?i=11264&lng=en&c=9
    Doctor Web specialists have examined Trojan.DownLoader23.60762, which steals logins and passwords from popular browsers and downloads dangerous files.

    Most modern Trojans execute either only one function or several simultaneously with one function dominating. Multi-purpose malicious programs are quite rare. Trojan.DownLoader23.60762 is one of them. It poses a threat to Windows devices. This malware downloads other applications onto the machines it infects, steals logins and passwords from browsers, and intercepts data entered on the pages of various websites.

    Once launched on an attacked computer, Trojan.DownLoader23.60762 unpacks its own body and searches for fragments of malicious code in the memory of its process for further execution. Trojan.DownLoader23.60762 saves a copy of the executed file in a temporary folder on the disk of the infected device. It then records the path to this file in the system registry key responsible for automatically starting applications. As a result, the Trojan is launched along with the operating system.

    A representative of banking Trojan family designed to steal private information and money from user bank accounts. In browsers, it intercepts the functions responsible for working with the network. This allows the malicious program to extract saved logins and passwords from browsers and send them to cybercriminals, and to intercept data entered by users on website pages.

    The Trojan connects with a command and control server to receive such commands as:

    • Launch a file from the temporary folder on the disk of the infected computer;
    • Self inject in a running process;
    • Delete the specified file;
    • Launch the specified executable file;
    • Save the SQLite database used by Google Chrome and send it to the cybercriminals;
    • Change the command and control server to the one specified;
    • Delete cookies;
    • Restart the operating system;
    • Turn off the computer.
    The signature for Trojan.DownLoader23.60762 is already in the Dr.Web database; therefore, this malicious program poses no threat to our users.
     
  2. Winter Soldier

    Winter Soldier Level 25

    Feb 13, 2017
    1,466
    10,342
    PLC programmer - Robotics industry
    Wormhole
    Windows 10
    Emsisoft
    Good share @omidomi :)
    This is the main reason why I wouldn't want to test malware samples using Shadow Defender.
    SD virtualizes the current Windows session and all the files and data it contains.
    If you're testing malware like this, if not detected, it could steal login password and data according to the article.
    The best thing would be always to use a VM, or at least you can encrypt, when possible, the sensitive data before any malware test using SD.
     
Loading...
Similar Threads Forum Date
Malware Alert Doctor Web examines new backdoor for Linux News Archive Oct 23, 2016
On Sale! Buy Kerish Doctor And Get +1 Extra Year For Free (ends January 5, 2018) Discounts & Deals Dec 23, 2017
kerish doctor malwareprotection ? System Utilities Nov 6, 2017