- #Citrio browser trojan archive#
- #Citrio browser trojan software#
- #Citrio browser trojan code#
- #Citrio browser trojan windows#
Once infected, the malware can steal information from many popular pieces of software, including the Google Chrome, Safari and Firefox web browsers. The injection techniques we're seeing in the wild are well-known and have been used for many years, but with the adversaries customizing them, traditional anti-virus systems are having a hard time detecting the embedded malware. In this post, we'll walk through one of these campaigns in detail and how the different stages of the dropper hide the malware.
#Citrio browser trojan archive#
The campaigns we analyzed started with a malicious email similar to the one below:Īn ARJ archive is attached to this email.Īny internet user is a potential target of this malware, and if infected, has the potential to completely take away a user's online privacy.
#Citrio browser trojan software#
ARJ is an early 1990s archive format often used on the pirated software scene to convert files into archives. ARJ can split the archive into multiple smaller files. This made it easier to share these files over dial-up connections. ARJ archives can be unpacked with various tools like 7-Zip or WinRAR.
#Citrio browser trojan windows#
Users can easily find an unpacker by double-clicking on the file and searching in the Windows Store for the appropriate software.
We often see that adversaries use old archive formats, hoping to bypass weak email security gateways. In this case, this archive wasn't split into multiple files and it contained only a single executable with the name: "IMP_Arrival Noticedoc.exe".
This actor often used filenames with the schema ".exe. In other campaigns by this adversary, we also saw completely different names and different file types like malicious office documents acting as first stage droppers. In this blog post, we will focus on the first ones. Most of the executables are compiled, sometimes UPX packed, AutoIt scripts that can be easily decompiled. Figure 2 shows the decompiled version of the script.įigure 2 - Decompiled version of the AutoIT script Unfortunately, as usual, the content was heavily obfuscated before compilation. These checks are very typical for AgentTesla campaigns for years, you can often find them in one or the other form in the first stage droppers.įigure 3 - Start of the deobfuscated AutoIT scriptįigure 4 - VM checks of the deobfuscated AutoIT script The deobfuscated version of the AutoIT script in Figures 3 and 4 shows that it comes with some anti-VM checks in the beginning. If these checks do not find anything, it is decoding and extracting resource font type (8) names from the string in the first parameter ($data) handed over to the DecodeDataFromPEResourceOrString function (Figure 7). In the GetResourcesFromPE function (Figure 6), this parameter is converted into a string and split into the different font resource names. These font type resources are then extracted from the PE resources and concatenated to a large binary.įigure 5 - Resource Section of IMP_Arrival Noticedoc.exe The result is a list of strings in the following order: The result is stored again in the $data variable (Line 245 in Figure 7) and the order of the stored bytes is reversed by StringReverse(BinaryToString($data)) in Line 246. This is the final payload malware in an RC4 encrypted form. After preparing the shellcode and the encrypted payload data, the RC4 function is getting executed in line 262 and decrypts the payload.įigure 7 - DecodeDataFromPEResourceOrString RC4 Function The variable $sopcode contains the bytes of the RC4 code. The following pictures show the disassembled RC4 shellcode:įigure 8 - RC4 function ($opcode variable)Īfter the payload is decrypted, the script calls the final InjectPayloadIntoProcess function to inject the payload into another process. The adversary eventually selects which one will be used by providing the corresponding number to the function.įigure 9 - Injection victim process selection It is offering nine different legit process options for this injection. In this case, the adversaries picked option one - RegAsm.exe - to hide the payload. The rest of the function is quite similar to what was already described in other blogs. It is preparing the local injection shellcode ($a5_local_shellcode) and executing it in Line 211 in Figure 10.
#Citrio browser trojan code#
As mentioned before, this code finally hides the payload inside of the selected legit process.
0 kommentar(er)
