Trojan.LNK.GOSUKY.AA

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops and executes the following files:

• {Malware File Path}\{Malware File Name}.pdf

It adds the following processes:

• "%Program Files%\Adobe\Reader 9.0\Reader\AcroRd32.exe" "{Malware File Path}\{Malware File Name}.pdf"
• powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "{malicious powershell command}"

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It executes then deletes itself afterward.

Download Routine

This Trojan connects to the following website(s) to download and execute a malicious file:

• https://{BLOCKED}ropboxapi.com/2/files/download/step2/ps.bin
  However, as of this writing, the said sites are inaccesible.

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This Trojan does the following:

• It makes a POST request to the token endpoint “https://{BLOCKED}pboxapi.com/oauth2/token ”.
• If the request is successful, the response will contain a new access token → used to authenticate subsequent API requests to Dropbox (downloading a file).