Doctor Web has detected an attack on Windows users using the modular Trojan downloader Trojan.Fruity.1. It allows attackers to infect computers with different types of malicious applications depending on their goals. Various techniques are used to hide the attack and increase its chances of success. These include a multi-step process to infect targeted systems, the use of benign programs to launch Trojan horse components, and the attempt to bypass antivirus protection.
For about a year now, Doctor Web has been receiving user complaints about Windows computers infected with the Remcos RAT (Trojan.Inject4.57973) spyware. During the investigation of these incidents, specialists discovered an attack in which the main role is played by a multi-component Trojan downloader Trojan.Fruity.1.
To spread it, the attackers created malicious websites and specially crafted installers of various programs. Among them are tools for tuning processors, video cards and BIOSes, utilities for checking the status of computer hardware and many others. These installers serve as bait and contain not only the software of interest to the potential victim, but also the Trojan itself, along with all its components.
When a visitor tries to download a program from a fake website, they are redirected to a page on the Mega file sharing service, where they are asked to download a zip file containing the Trojan.
When the unsuspecting victim extracts the executable file from the archive and runs it, the standard installation process begins. However, Trojan.Fruity.1 arrives on the computer together with the harmless program that is sought to distract the user’s attention. Along with other components, it is copied to the same folder as the bait program.
Attackers have turned legitimate programs into one of the “modules” of the Trojan. In this example, Trojan.Fruity.1 is embedded in one of the Python programming language libraries, which uses the python.exe interpreter with a valid digital signature to run. In addition, use cases of VLC media player files and VMWare virtualization environment were detected.
The list of files associated with the Trojan: python39.dll – a copy of a Python package library with embedded malicious code; python.exe – the original Python interpreter to run the modified library; idea.cfg – configuration with payload location data; idea.mp3 – encrypted Trojan modules; fruit.png – encrypted payload.
After extracting them from the installer, it begins the multi-step process to infect the system.
CyberSec84 | Cybersecurity news. 
Leave a comment