Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,422
Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT.

"Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps," cybersecurity vendor Doctor Web said in an analysis. "Such installers are used as a decoy and contain not only the software potential victims are interested in, but also the trojan itself with all its components."

The exact initial access vector used in the campaign is unclear but it could potentially range from phishing to drive-by downloads to malicious ads. Users who land on the fake site are prompted to download a ZIP installer package.

The installer, besides activating the standard installation process, stealthily drops the Fruity trojan, a Python-based malware that unpacks an MP3 file ("Idea.mp3") to load an image file ("Fruit.png") to activate the multi-stage infection.

"This image file uses the steganography method to hide two executables (.dll libraries) and the shellcode for the next-stage initialization inside it," Doctor Web said.

Fruity is also designed to bypass antivirus detection on the compromised host and ultimately launch the Remcos RAT payload using a technique called process doppelgänging.
 

cartaphilus

Level 6
Verified
Well-known
Mar 17, 2023
251
The use of stenography to hide an infectious executable within a picture of a fruit is a complex and sophisticated technique. If only that mental power could be used for the betterment of humanity, imagine what we could accomplish as a collective!

And of all the vendors it was Dr. Web who detected it!??? I think of Dr. Web on the same terms as Dr. Nick from Simpsons.
 

Xeno1234

Level 14
Jun 12, 2023
684
The use of stenography to hide an infectious executable within a picture of a fruit is a complex and sophisticated technique. If only that mental power could be used for the betterment of humanity, imagine what we could accomplish as a collective!

And of all the vendors it was Dr. Web who detected it!??? I think of Dr. Web on the same terms as Dr. Nick from Simpsons.
If Dr Web got it, high chance Kaspersky nags with at least in some way.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top