Doctor Web: new downloader Trojans operate on the sly

16:19 - 9.03.2018


Doctor Web virus analysts have examined some Trojans belonging to a known Trojan.LoadMoney malware family. These Trojans can download other dangerous applications on infected computers.

The Trojan.LoadMoney malware family has been well known since 2013, and new representatives of this family appear regularly. One of these Trojans is Trojan.LoadMoney.3209. It contains two Internet addresses, which are used to download and launch other malware. At the time of the research, the Trojan downloaded an identically encrypted file from both addresses and saved it in a temporary folder under a random name. This file was also loaded onto the memory after it was deleted and again saved in a temporary folder, also under a random name. Finally, this executable file was read into memory and then launched. The original file was deleted.

One of the files that Trojan.LoadMoney.3209 downloads is detected as Trojan.LoadMoney.3558. This malicious program is more complicated. Trojan.LoadMoney.3558 acts as the main system infector and uses a freely distributed utility cURL for downloading files. This utility allows it to interact simultaneously with multiple Internet servers by using several different protocols. The Trojan decrypts and saves them to a disk. For downloading files to an infected computer with a cURL, Trojan.LoadMoney.3558 uses the Windows Task Scheduler. The Trojan contains four encrypted addresses of Internet resources, one of which is used to operate with the cURL utility; other addresses are used to download the executable file, named Trojan.LoadMoney.3263, which is launched covertly. Upon launching, the original file, Trojan.LoadMoney.3263, is deleted.

After downloading, the Trojan extracts the executable file, restores its header, saves it to a temporary folder, and then launches the executable file. The specified file is detected by Dr.Web as Trojan.Siggen7.35395. Because virus writers have not implemented any visual effects in the malicious code, all the mentioned Trojans do not manifest themselves in the infected system, so detecting their malicious activity is not easy.

Doctor Web virus analysts continue to examine this family of malicious programs and dangerous files. As we receive more news about this family, we will continue to inform our readers. Dr.Web anti-virus products securely protect against all known representatives of the Trojan.LoadMoney family, so they do not pose a threat to our users.

More about this Trojan

Вся лента