Analysis by: Raymart Christian Yambot
ALIASES:

Trojan.Win32.OysterLoader (IKARUS)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Downloaded from the Internet

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It gathers certain information on the affected computer.

  TECHNICAL DETAILS

File Size: 4,249,088 bytes
File Type: DLL
Memory Resident: No
Initial Samples Received Date: 18 Jun 2024
Payload: Collects system information, Connects to URLs/IPs, Steals information

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy adds the following processes:

  • schtasks /create /tn ClearMngs /tr "rundll32.exe \"{Malware File Path}\",Test" /sc hourly /mo 3 /f

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1

Information Theft

This Trojan Spy gathers the following information on the affected computer:

  • Username
  • Computer Name
  • User Information
  • Operating System
  • IP address
  • Domain name
  • User Privilege

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

  • http://{BLOCKED}ndrysettlers.us
  • http://{BLOCKED}erhomebe.com
  • http://{BLOCKED}ectyourman.eu

Other Details

This Trojan Spy does the following:

  • It adds the following schedule tasks:
    • Location:{Schedule Tasks Root Directory}
    • Name: ClearMngs
    • Trigger: At {Time execution of malware} on {Date execution of malware} - After triggered, repeat every 03:00 indefinitely.
    • Action Start a program - rundll32 "{Malware File Path},Test

  SOLUTION

Minimum Scan Engine: 9.800
FIRST VSAPI PATTERN FILE: 19.472.04
FIRST VSAPI PATTERN DATE: 17 Jul 2024
VSAPI OPR PATTERN File: 19.473.00
VSAPI OPR PATTERN Date: 18 Jul 2024

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as TrojanSpy.Win32.OYSTERLOADER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.