Swarez Trojan and Dropper Distributed under the Disguise of 15 Popular Games

黑尔加·史密斯八月 27, 2021最後更新: 九月 6, 2021

44 1 分鐘閱讀

In April of this year, Kaspersky Lab experts recorded a large-scale campaign to distribute a Trojan and a dropper named Swarez.

The malware was distributed under the guise of 15 popular games, and attempts to download such files were recorded by the company’s products in 45 countries of the world.

The dropper was introduced through various sites that imitate platforms for illegal free software distribution. Many such sites distribute malware under the guise of keys for programs, including antivirus software, photo and video editors, as well as popular games.

An example of a site page with hacked software for distributing Swarez.

The attackers used the following games as bait: Among US, Battlefield 4, Battlefield V, Control, Counter-Strike Global Offensive, FIFA 21, Fortnite, Grand Theft Auto V, Minecraft, NBA 2K21, Need for Speed Heat, PLAYERUNKNOWN’S BATTLEGROUNDS, Rust, The Sims 4, Titanfall 2. Multiple tags were used for each post to make landing pages appear at the top of search results.

The dropper was distributed in a ZIP archive, which contained another password-protected ZIP file and a text file containing this password. The launch of the malware resulted in the decryption and activation of the Taurus stealer Trojan.

Thus, at the first stage of infection, the Swarez dropper executes an obfuscated CMD script that decrypts the legitimate AutoIt interpreter. Using it, the malware executes the AutoIt script, which is also obfuscated. Several checks are made to ensure that the file is not being executed in an emulated environment, and then the payload is decrypted using the RC4 algorithm. The resulting file is embedded in one of the system processes and executed in its context. This is Taurus, a paid stealer Trojan developed by the Predator hack group, with many features and customization options. It can steal cookies, saved passwords and autofill data from browsers, secrets for accessing cryptocurrency wallets, collect system information, text files from the user’s desktop, and even take screenshots. The Trojan sends all this information to the C&C服務器.

Users around the world are actively downloading software from dubious sources, and the authors of the Swarez dropper used this to their advantage. Attackers are constantly complicating their techniques and making every effort so that the user does not suspect that he is installing malware while downloading the program. That is why we recommend downloading the software only from the official websites of the developers.comments Anton Ivanov, cybersecurity expert at Kaspersky Lab.

Let me remind you that I also recently wrote that TrickBot got a new module for monitoring victims.

標籤

黑尔加·史密斯八月 27, 2021最後更新: 九月 6, 2021

44 1 分鐘閱讀

Swarez Trojan and Dropper Distributed under the Disguise of 15 Popular Games

In April of this year, Kaspersky Lab experts recorded a large-scale campaign to distribute a Trojan and a dropper named Swarez.

黑尔加·史密斯

留言取消回覆

Remove QEHU Ransomware Virus (+DECRYPT .qehu Files)

Remove QEPI Ransomware Virus (+DECRYPT .qepi Files)

Remove BAAA Ransomware Virus (+DECRYPT .baaa Files)

Remove BGZQ Ransomware Virus (+DECRYPT .bgzq Files)

Remove BGJS Ransomware Virus (+DECRYPT .bgjs Files)

移除KAAA勒索軟件病毒 (+解密.kaaa文件)

移除UAJS勒索軟件病毒 (+解密.uajs文件)

移除USZQ勒索軟件病毒 (+解密.uazq文件)

移除VOOK勒索軟件病毒 (+DECRYPT .vook文件)

移除LOOY勒索軟件病毒 (+DECRYPT.looy文件)

移除KOOL勒索軟件病毒 (+DECRYPT .kool文件)

移除NOOD勒索軟件病毒 (+DECRYPT.nood文件)

移除WIAW勒索軟件病毒 (+解密.wiaw文件)

移除WISZ勒索軟件病毒 (+DECRYPT.wisz文件)

移除LKFR Ransomware病毒 (+DECRYPT.lkfr 文件)

In April of this year, Kaspersky Lab experts recorded a large-scale campaign to distribute a Trojan and a dropper named Swarez.

黑尔加·史密斯

DoppelPaymer ransomware renamed to Grief

Chinese authorities have arrested the authors of the Mozi botnet

留言取消回覆

相關文章

新版本嘅Magniber勒索軟件威脅Windows 11 用戶

善意勒索迫使受害者做善事

俄羅斯Fronton殭屍網絡可以做嘅不僅僅昰大規模嘅DDoS攻擊

Microsoft警告XorDdos惡意軟件活動增加