A new multi-functional malware family detected as Proteus can transform the computers of infected users in proxy servers, can mine for various types of crypto-currencies, can log keystrokes, and check the validity of stolen online accounts.
Detected by security researchers from Fortinet, this new malware family is written in .NET and current evidence reveals that crooks are using the Andromeda malware/botnet to drop Proteus on victims' computers.
While not as complex and widespread as Andromeda, Proteus shares features with this ancient botnet, because it also uses a central command & control (C&C) server to control the malware's actions on infected bots.
Also similarly to Andromeda, Proteus can download modules and even other malware in later stages, to diversify its attack arsenal.
Proteus is a multi-faceted threat
Currently, Fortinet researchers have spotted the Andromeda botnet drop and execute a file named chrome.exe on infected machines. This installs the Proteus malware, which immediately starts an encrypted communication channel with its C&C server.
The Proteus malware current version number is 2.0.0, and it can perform the following actions:
Besides Fortinet, the new Proteus family has been spotted by AVG malware analyst Jiří Kropáč, who shared a VirusTotal scan on Twitter. The VT scan showed a detection rate of 4/44 at the time it was shared publicly.
Full article with in-depth analysis : New Proteus Malware Can Mine for Crypto-Currency, Log Keystrokes, and More
Detected by security researchers from Fortinet, this new malware family is written in .NET and current evidence reveals that crooks are using the Andromeda malware/botnet to drop Proteus on victims' computers.
While not as complex and widespread as Andromeda, Proteus shares features with this ancient botnet, because it also uses a central command & control (C&C) server to control the malware's actions on infected bots.
Also similarly to Andromeda, Proteus can download modules and even other malware in later stages, to diversify its attack arsenal.
Proteus is a multi-faceted threat
Currently, Fortinet researchers have spotted the Andromeda botnet drop and execute a file named chrome.exe on infected machines. This installs the Proteus malware, which immediately starts an encrypted communication channel with its C&C server.
The Proteus malware current version number is 2.0.0, and it can perform the following actions:
- Creates a socket and set up port forwarding in order to relay malicious traffic through the infected machine, which now acts like a SOCKS proxy.
- Deploy the following crypto-currency miners: SHA256 miner, CPUMiner, and ZCashMiner. These tools can be used to mine for crypto-currencies such as Bitcoin, Litecoin, Zcash, and others, using the local PC's GPU or CPU.
- Check if passwords still work on stolen user accounts for services like Amazon, eBay, Spotify, Netflix, and some German (.de) domains, and then extract profile information from working accounts.
- Set up a keylogger.
- Download and execute an executable on request.
Besides Fortinet, the new Proteus family has been spotted by AVG malware analyst Jiří Kropáč, who shared a VirusTotal scan on Twitter. The VT scan showed a detection rate of 4/44 at the time it was shared publicly.
Full article with in-depth analysis : New Proteus Malware Can Mine for Crypto-Currency, Log Keystrokes, and More
