This article discusses a sophisticated Trojan targeting Windows systems, masquerading as a Firefox module. It employs multi-stage attacks, keylogging, and stealthy techniques such as process injection and dynamic shellcode execution. The Trojan’s ultimate goal is to exfiltrate sensitive data while maintaining persistence on the infected system. Affected: Windows environment
Keypoints :
- The Trojan disguises itself as a Firefox module.
- It alters key system processes like cmd.exe and MsBuild.exe.
- A keylogger is injected into MsBuild.exe to capture keystrokes.
- Malicious DLL files are added to the startup folder for persistence.
- It employs dynamic injection and anti-analysis techniques to evade detection.
- The unique hash for the malware is identified for analysis.
- Data is exfiltrated through a command and control (C2) server.
MITRE Techniques :
- Process Injection (T1055) – The Trojan injects code into cmd.exe and MsBuild.exe to perform its operations.
- Keylogging (T1056) – The keylogger records keystrokes and saves them to %temp% for exfiltration.
- File and Directory Permissions Modification (T1216) – The malware modifies the startup folder with malicious links.
Indicator of Compromise :
- [Hash] 75BEF67BB34E8856088FC708F916D1DB39DA3682D28DBF0C491208F9E0E1B96E
- [Hash] B76FA44855B0BDB110C5B1C22B1594AB7FF6AE1872A45BEE6C336A2919D513EC
- [Hash] 96bf7154057a2d8747d17e265f11e35677059c505ea67939352a00973995bf12
- [Domain] Dinamic-Tigo-191–92–96–62.tigo.com.co
- [File Path] C:UsersshaddyAppDataLocalTempLog.tmp