When one isn’t enough: This shady malware will infect your PC with dual Trojans

Low detection rates and the drop of not one, but two Trojans, spells trouble.
Written by Charlie Osborne, Contributing Writer

A new malware variant with a low detection rate able to deliver multiple Trojans to infected systems has been disclosed by researchers. 

This week, the cybersecurity team at Fortinet said a recent sample of the dropper reveals the new malware is designed to drop both RevengeRAT and WSHRAT on vulnerable Windows systems. 

The sample dropper begins the infection process with JavaScript code and URL-encoded information contained in a text editor. Once decoded, the team found VBScript obfuscated with character replacements. 

This VBScript code is then able to call a Shell.Application object that generates a new script file, A6p.vbs, which fetches a payload -- an additional VBScript -- from an external source. 

The strings in the new code, which are also obfuscated in a likely attempt to avoid detection, pull a script file called Microsoft.vbs from a remote server and saves it in the Windows temporary folder. 

"Once the aforementioned code is executed, it creates a new WScript.Shell object and collects OS environment and hardcoded data, which will eventually end in running the newly created script (GXxdZDvzyH.vbs) by calling the VBScript interpreter with the "//B" parameter," the researchers say. "This enables "batch-mode" and disables any potential warnings or alerts that can occur during execution."

A new key is then added to the Windows registry, PowerShell commands are executed to bypass execution policies, and the Revenge RAT payload is deployed. 

See also: DanaBot banking Trojan jumps from Australia to Germany in quest for new targets

Revenge RAT is a Trojan previously connected to campaigns targeting financial establishments, governments, and IT companies. 

Once deployed by the new malware dropper, Revenge RAT connects to two command-and-control (C2) servers and collects system data from the victim before transferring this information to the C2s. 

IP addresses, volume data, machine names, user names, whether or not a webcam has been detected, CPU data, language, and information relating to antivirus products and firewall installations are stolen. 

The Trojan is also able to receive commands from a C2 to load malicious ASM code in memory for additional exploits. 

However, the deployment of one Trojan is not the end of the attack chain. The malware dropper also executes WSH RAT as a payload, using same Microsoft.vbs script -- with a few tweaks. 

WSH RAT is often actively distributed in phishing messages masquerading as well-known banks. The Trojan is being sold publicly online on a subscription basis to threat actors. 

CNET: Demonstrators scan public faces in DC to show lack of facial recognition laws

Version 1.6 of WSH RAT is loaded and this malware contains more functionality than its counterpart; including methods to maintain persistence, data theft, and information processing. 

Among 29 functions is the facility to check the current user's rights, and "depending on which ones are used, it will remain as is or elevate itself (startupElevate()) to a higher user access level," the researchers say. 

The Trojan will also perform a security check to disable the current security context.

TechRepublic: New phishing email campaign impersonates US postal service to deliver malware

WSH RAT focuses on stealing information harvested from popular browsers including Google Chrome and Mozilla Firefox. However, the malware also contains other features, such as executing files, rebooting the victim machine, uninstalling programs, and keylogging. 

Also of note in the malware space this month is the emergence of Emotet with new functionality. The modular malware, which has proven popular with cybercriminals, now appears to be utilizing stealth tactics once employed by Trickbot.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards