• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 22nd, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

Hackers Exploit Kaspersky, Microsoft Security Products to Install Snooping Trojan

November 11th, 2015 Ryan De Souza Malware, Security 0 comments
Hackers Exploit Kaspersky, Microsoft Security Products to Install Snooping Trojan
Share on FacebookShare on Twitter

Palo Alto Networks’ research team has identified a new Trojan, which uses security software to side-load DLLs in order to get installed on the computer.

Perhaps the security software installed in your computer isn’t so secure anymore. The research team has dubbed the newly identified Trojan as Bookworm.

Palo Alto Networks claim that Bookworm shares some stark connections with the PlugX RAT.

Currently, this Trojan is seen in campaigns from an APT/advanced persistent threat group, which mainly is active in Thailand.

From the outlook, it seems that Bookworm is an extension of the latest trend where modular malware is used.

Modular malware is malicious software equipped with the capability of self-installation and due to multiple layer functioning, it becomes highly difficult to identify them.

[squaread][/squaread]

A remote command & control server is utilized to determine whatever needs to be uploaded, which is usually analyzed according to the infected target device’s profile.

Bookworm Trojan comprises of simplistic internal architecture; an XOR algorithm is used to encrypt various malicious DLLs and a readme.txt file ties them together.

hackers-exploit-kaspersky-microsoft-security-products-to-install-snooping-trojan

Internal architecture of the Bookworm trojan / Image Source: Palo Alto Networks

Clean executables then put together this readme.txt file while some DLLs are inserted into a self-extracting RAR archive. This RAR archive is condensed with the application that creates installation packages, known as Smart Installer Maker.

This application creates an installer, which is later distributed by hackers triggers a self-extracting hardware and later unloads the infected readme.txt file, the DLLs, and the EXE.

Once the job of the installer is done, the clean EXE launches itself automatically and looks for executables from either Microsoft Malware Protection (MsMpEng.exe) or Kaspersky Anti-Virus (ushata.exe) or both.

When located, the clean EXE then side-loads the clean DLLs into these security products and the permissions of these security apps are used to install itself under the disguise of a Microsoft application.

Now, the Bookworm extracts and loads other modules present in the readme.txt file. It also starts communicating with the command & control server and sends data from the infected device to the server.

However, researchers didn’t mention the type of modules that Bookworm loads or downloads because their research was hindered by the aspect that the Trojan used four different encryption algorithms while communicating with the C&C server.

These algorithms include RC4, AES, XOR, and LZO.

[src src=”Featured Image Via” url=”http://techno-stream.net/yahoo-ads-accidentally-spewed-malware/wpid-hacker-hacking-dark-hoodie-jpg-4/”]Techno Stream[/src] 

  • Tags
  • hack
  • Kaspersky
  • Malware
  • Microsoft
  • Palo Alto
  • security
  • Spyware
  • Windows
Facebook Twitter LinkedIn Pinterest
Previous article Court Orders Facebook to Stop Tacking Non-Users or Pay €250K Fine Daily
Next article How Linux Users are Falling for Ransomware Scam
Ryan De Souza

Ryan De Souza

Ryan is a London-based member of the HackRead's Editorial team. A graduate of Maths and physics with a passion for geopolitics and human rights. Ryan places integrity at the pinnacle of successful journalism and believes this is somewhat lacking in traditional media. Ryan is an educator who balances his time between family, social activism and humanitarian causes and his vice is Football and cars.

Related Posts
Shazam Vulnerability exposed location of Android, iOS users

Shazam Vulnerability exposed location of Android, iOS users

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Shazam Vulnerability exposed location of Android, iOS users
Security

Shazam Vulnerability exposed location of Android, iOS users

40
Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet
Security

Ongoing 'FreakOut' malware attack turns Linux devices into IRC botnet

76
Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping
Security

Signal, Google Duo, FB Messenger vulnerabilities allowed eavesdropping

103

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us