Hackers Exploit Kaspersky, Microsoft Security Products to Install Snooping Trojan

Palo Alto Networks’ research team has identified a new Trojan, which uses security software to side-load DLLs in order to get installed on the computer.

Perhaps the security software installed in your computer isn’t so secure anymore. The research team has dubbed the newly identified Trojan as Bookworm.

Palo Alto Networks claim that Bookworm shares some stark connections with the PlugX RAT.

Currently, this Trojan is seen in campaigns from an APT/advanced persistent threat group, which mainly is active in Thailand.

From the outlook, it seems that Bookworm is an extension of the latest trend where modular malware is used.

Modular malware is malicious software equipped with the capability of self-installation and due to multiple layer functioning, it becomes highly difficult to identify them.

A remote command & control server is utilized to determine whatever needs to be uploaded, which is usually analyzed according to the infected target device’s profile.

Bookworm Trojan comprises of simplistic internal architecture; an XOR algorithm is used to encrypt various malicious DLLs and a readme.txt file ties them together.

Internal architecture of the Bookworm trojan / Image Source: Palo Alto Networks

Clean executables then put together this readme.txt file while some DLLs are inserted into a self-extracting RAR archive. This RAR archive is condensed with the application that creates installation packages, known as Smart Installer Maker.

This application creates an installer, which is later distributed by hackers triggers a self-extracting hardware and later unloads the infected readme.txt file, the DLLs, and the EXE.

Once the job of the installer is done, the clean EXE launches itself automatically and looks for executables from either Microsoft Malware Protection (MsMpEng.exe) or Kaspersky Anti-Virus (ushata.exe) or both.

When located, the clean EXE then side-loads the clean DLLs into these security products and the permissions of these security apps are used to install itself under the disguise of a Microsoft application.

Now, the Bookworm extracts and loads other modules present in the readme.txt file. It also starts communicating with the command & control server and sends data from the infected device to the server.

However, researchers didn’t mention the type of modules that Bookworm loads or downloads because their research was hindered by the aspect that the Trojan used four different encryption algorithms while communicating with the C&C server.

These algorithms include RC4, AES, XOR, and LZO.

Techno Stream 

Related Posts