A backdoor is a computer program that allows an attacker to gain unauthorised remote access to a victim's machine often without their knowledge. The attacker typically uses another attack (such as a trojan, worm or virus) to bypass authentication mechanisms usually over an unsecured network such as the Internet to install the backdoor application. A backdoor can also be a side effect of a software bug in legitimate software that is exploited by an attacker to gain access to a victim's computer or network.
Trojan horses are generally spread by some form of social engineering, for example, where a user is duped into executing an email attachment disguised to be unsuspicious, (e.g., a routine form to be filled in), or by drive-by download. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller (phoning home) which can then have unauthorized access to the affected computer, potentially installing additional software such as a keylogger to steal confidential information, cryptomining software or adware to generate revenue to the operator of the trojan. While Trojan horses and backdoors are not easily detectable by themselves, computers may appear to run slower, emit more heat or fan noise due to heavy processor or network usage, as may occur when cryptomining software is installed. Cryptominers may limit resource usage and/or only run during idle times in an attempt to evade detection.
SpyHunter is a comprehensive anti-malware solution designed to provide online protection and security against ransomware, viruses, trojans and other threats, while still offering a user-friendly interface to bring added simplicity to your digital life.
Kapil Kulkarni is Security Consultant at Aujas Networks and Freelance Writer. Kapil is a security pentester with over 3 years experience in the field, he is Offensive Security Certified Professional and Certified Ethical Hacker at EC Council.He is also a bug-bounty hunter and has interest in threat hunting.In the past he has worked on IoT, SCADA , PLC along with application and network security projects as well.His blog of teampwners can be found here: and can be reached at email@example.com and LinkedIn here at -kulkarni-oscp-ceh-5a333763/
The term rootkit is used to describe the mechanisms and techniqueswhereby malware, including viruses, spyware, and trojans, attempt tohide their presence from spyware blockers, antivirus, and systemmanagement utilities. There are several rootkit classificationsdepending on whether the malware survives reboot and whether it executesin user mode or kernel mode.
Understanding the purpose of malware simply by searching anti-virus writeups can sometimes be a daunting task. Often, we see trojans which have painfully little information about their functionality other than \"backdoor\", or \"keylogger\", or \"proxy\". In many cases, widely varying trojans are given similar, non-descriptive names like \"Trojan.Agent.abc\", further adding to the murky view we have of just what modern malware is up to.
Sometimes, when we shine a light on a particular piece of malware, we find some interesting things that would otherwise go unnoticed. One such piece of malware is the trojan sometimes called \"Troj/SpamThru\", among other names.
Note that the current incarnation is not called SpamThru by any vendor who detects it in the above scan result from VirusTotal, however, by correlating behavior with previous writeups, it is apparent that it is the same trojan. Given that SpamThru is the most descriptive and unique name assigned to it, we have chosen to call it that in this writeup as well. Overall, detection by AV vendors is sparse, but that's to be expected given that SpamThru is a money-making operation, and the author takes great care to make sure that detection by the major vendors is avoided by frequently updating the code.
Although many trojans and viruses are turning to rootkits to hide their activities on a system, SpamThru uses little more than a few registry keys to keep its hold on the system. It uses the classic HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run key in order to launch at startup, but also tries to start from HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskSchedulerand SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad just in case the Run key is removed.
Like many viruses and trojans, SpamThru attempts to prevent installed anti-virus software from downloading updates by adding entries into the %sysdir%\\drivers\\etc\\hosts file pointing the AV update sites to the localhost address. In the past, we've also seen malware which tries to uproot other competing malware on an infected system by killing its processes, removing its registry keys, or setting up mutexes which fool the other malware into thinking it is already running and then exiting at start.
SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.
In this case, the GIF comprises most of the message, with the remainder being hash-busters that are mostly invisible to the client. Below is what an email sent by the SpamThru trojan would look like to an Outlook user (assuming it wasn't caught in the junk email folder):
alert tcp any any -> any any (msg:\"SpamThru trojan peer exchange\"; flow:established,to_server; content:\"01hs5p0000\"; depth:7; classtype:trojan-activity; reference:url,www.secureworks.com/research/spamthru; sid:1000553; rev:1;)
alert tcp any 25 -> any any (msg:\"SpamThru trojan SMTP test successful\"; flow:established,to_client; dsize:6; content:\"XSMTPX\"; classtype:trojan-activity; reference:url,www.secureworks.com/research/spamthru; sid:1000554; rev:1;)
alert tcp any any -> any any (msg:\"SpamThru trojan update request\"; flow:established,to_server; content:\"01hs5p0001\"; depth:7; classtype:trojan-activity; reference:url,www.secureworks.com/research/spamthru; sid:1000555; rev:1;)
alert tcp any any -> any any (msg:\"SpamThru trojan AV DLL request\"; flow:established,to_server; content:\"01hs5p0007\"; depth:7; classtype:trojan-activity; reference:url,www.secureworks.com/research/spamthru; sid:1000556; rev:1;)
alert tcp any any -> any any (msg:\"SpamThru trojan spam template request\"; flow:established,to_server; content:\"01hs5p0004\"; depth:7; classtype:trojan-activity; reference:url,www.secureworks.com/research/spamthru; sid:1000557; rev:1;)
alert tcp any any -> any any (msg:\"SpamThru trojan spam run report\"; flow:established,to_server; content:\"01hs5p0005\"; depth:7; classtype:trojan-activity; reference:url,www.secureworks.com/research/spamthru; sid:1000558; rev:1;)
alert tcp any any -> any any (msg:\"SpamThru trojan AV scan report\"; flow:established,to_server; content:\"01hs5p0008\"; depth:7; classtype:trojan-activity; reference:url,www.secureworks.com/research/spamthru; sid:1000559; rev:1;)
Once you have your license key, deploy Blue Hexagon in standalone mode by launching the CloudFormation stack below. To deploy Blue Hexagon in high-availability mode, contact a Blue Hexagon representative to get the template.
Blue Hexagon instantly convicts both files as ransomware and trojan respectively. In addition to the classification, Blue Hexagon provides concrete network Indicators of Compromise (IoCs) as well as AI-predicted IoCs that are mapped to MITRE ATT&CK TTPs. These can be found by clicking on any threat in the threats view shown below.
Emotet is an infamous banking trojan that serves as a delivery vehicle for other malware. Hackers are constantly evolving Emotet to bypass traditional defenses, with new variants using PDFs containing links to weaponized Word documents.
Loaris Trojan Remover is a powerful software to remove malware on a PC. This software will scan, detect, and remove trojans and other malicious programs from your PC. Besides, it has a function to the recovery system after the malware attack. You are able to reset your browser settings in one click, which is essential after an adware or browser hijacker attack.
QBot, also known as Qakbot, is a malware that has been present on the threat landscape since 2007. QBot originally featured information stealing and trojan functionalities, however, the malicious actors that develop QBot have extended the malware with malware loading capabilities. In recent attack campaigns, malicious actors distribute QBot through malicious attachments in phishing emails. QBot downloads and executes additional malware on compromised machines, such as the Cobalt Strike framework, and ransomware, such as REvil and ProLock.
The main functionality of the second-stage IcedID DLL was to locate and process the license.dat file. license.dat contained encrypted content that implemented the IcedID malware. The second-stage IcedID DLL decrypted the content of license.dat and executed the IcedID malware by injecting the malware into a legitimate Windows process, such as chrome.exe:
Eli is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the private sector of the cyber security industry since 2017. In his free time, he publishes articles about malwar