August 16, 2016 By Douglas Bonderud 2 min read

With such a massive install base, it’s no surprise that the occasional Trojan makes its way through Windows defenses to target users. As noted by Softpedia, however, a new, info-stealing Windows Trojan has emerged, and this one is after enterprise data.

Targeting files specific to the corporate environment, the malware looks to grab everything from passwords to financial data and then send this data to a command-and-control (C&C) server. Even more worrisome, while 34 out of 55 antivirus programs could detect the new attack, none of them properly identified the threat.

Here’s a look at the latest malware to saddle up and chase corporate secrets.

Windows Trojan Swipes Enterprise Data

While there’s not much data on the distribution method of these attacks, it looks like at least some cybercriminals are using a file named Aug_1st_jave.exe to spread their new code. According to BleepingComputer, which first identified the new Windows Trojan, once installed, the malware injects itself into the registry to run on startup and then compromises an active process, such as Google Chrome.

Next, it starts scanning victim PCs and sends back data including the computer name, username, Windows version, installed service pack details and the list of programs found in specific registry keys. Once a solid C&C connection is established, the Trojan looks for certain file extensions.

Data is then sent back to the C&C server. In many cases, companies aren’t aware any intellectual property has gone missing, let alone being sold on the Dark Web for cash. While the BleepingComputer team tracked down a compromised website hosting a hidden iframe and prompted it to clean up its domain, the original C&C server is still up and running.

Trojan Triple Threat

This isn’t the only Trojan threat to hit Windows users in recent weeks. As noted by The Next Web, a piece of malware supposedly created by cybercriminals calling themselves PeggleCrew has been making the rounds. Surprisingly, the source is app download site FossHub, which prides itself on “no adware, no spyware, no bundles, no malware.”

The new code acts like a circa-1990 virus by overwriting the victim PC’s master boot record. An attacker claiming to be from PeggleCrew said FossHub left a network service open and unauthenticated, allowing them access.

The boot Trojan isn’t hard to fix with a Windows recovery CD. Still, it’s clear that Windows Trojans remain a real problem.

Defender Does Double Duty

The problem is so real, in fact, that the Windows Defender tool has been busy detecting Trojan threats other antivirus programs apparently can’t see, according to Windows Report.

A number of users have reported up to 10 Trojan warnings per day. These users said that Defender isn’t actually removing the threats and occasionally asks them to reboot their computers, even after a full clean starts the warning cycle again.

There’s no word from Microsoft on the issue, but a clean install is recommended. The behavior seems suspiciously like a legitimate service that’s been compromised by an outside actor.

Minor threats are par for the course, but more sophisticated attack vectors are on the rise as cybercriminals recognize the value of infiltrating corporate networks and exfiltrating critical data. They’re no longer horsing around with personal PC compromise; expect a run on enterprise entries and data disruptions.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today