With such a massive install base, it’s no surprise that the occasional Trojan makes its way through Windows defenses to target users. As noted by Softpedia, however, a new, info-stealing Windows Trojan has emerged, and this one is after enterprise data.
Targeting files specific to the corporate environment, the malware looks to grab everything from passwords to financial data and then send this data to a command-and-control (C&C) server. Even more worrisome, while 34 out of 55 antivirus programs could detect the new attack, none of them properly identified the threat.
Here’s a look at the latest malware to saddle up and chase corporate secrets.
Windows Trojan Swipes Enterprise Data
While there’s not much data on the distribution method of these attacks, it looks like at least some cybercriminals are using a file named Aug_1st_jave.exe to spread their new code. According to BleepingComputer, which first identified the new Windows Trojan, once installed, the malware injects itself into the registry to run on startup and then compromises an active process, such as Google Chrome.
Next, it starts scanning victim PCs and sends back data including the computer name, username, Windows version, installed service pack details and the list of programs found in specific registry keys. Once a solid C&C connection is established, the Trojan looks for certain file extensions.
Data is then sent back to the C&C server. In many cases, companies aren’t aware any intellectual property has gone missing, let alone being sold on the Dark Web for cash. While the BleepingComputer team tracked down a compromised website hosting a hidden iframe and prompted it to clean up its domain, the original C&C server is still up and running.
Trojan Triple Threat
This isn’t the only Trojan threat to hit Windows users in recent weeks. As noted by The Next Web, a piece of malware supposedly created by cybercriminals calling themselves PeggleCrew has been making the rounds. Surprisingly, the source is app download site FossHub, which prides itself on “no adware, no spyware, no bundles, no malware.”
The new code acts like a circa-1990 virus by overwriting the victim PC’s master boot record. An attacker claiming to be from PeggleCrew said FossHub left a network service open and unauthenticated, allowing them access.
The boot Trojan isn’t hard to fix with a Windows recovery CD. Still, it’s clear that Windows Trojans remain a real problem.
Defender Does Double Duty
The problem is so real, in fact, that the Windows Defender tool has been busy detecting Trojan threats other antivirus programs apparently can’t see, according to Windows Report.
A number of users have reported up to 10 Trojan warnings per day. These users said that Defender isn’t actually removing the threats and occasionally asks them to reboot their computers, even after a full clean starts the warning cycle again.
There’s no word from Microsoft on the issue, but a clean install is recommended. The behavior seems suspiciously like a legitimate service that’s been compromised by an outside actor.
Minor threats are par for the course, but more sophisticated attack vectors are on the rise as cybercriminals recognize the value of infiltrating corporate networks and exfiltrating critical data. They’re no longer horsing around with personal PC compromise; expect a run on enterprise entries and data disruptions.