“Twin Flower” Campaign Jacks Up Network Traffic, Downloads Files, Steals Data
Additional Insights and Analysis by Bren Matthew Ebriega, Shawn Moreño, and William Gamazo Sanchez
We analyzed samples related to a new Twin Flower campaign, which are detected as PUA.Win32.BoxMini.A, Trojan.JS.TWINFLOWER.A, and TrojanSpy.JS.TWINFLOWER.A. The "Twin flower" campaign (rough translation from Chinese) has been first detected by Jinshan security researchers back in 2018 in a report published in Chinese. The files are believed to be downloaded unknowingly by users when visiting malicious sites or dropped into the system by another malware.
The potentially unwanted application (PUA) PUA.Win32.BoxMini.A files are either a component or the main executable itself of a music downloader that automatically downloads music files without user consent. It drops several files and adds the following processes to the system:
- %System%\cmd.exe /c "%User Temp%\RarSFX0\start.bat"
- %User Temp%\RarSFX0\{malware name}
Trojan.JS.TWINFLOWER.A connects to a URL and downloads a file that will then be renamed when stored. It also connects to other URLs and boosts these sites’ page views. It checks for the presence of the following processes, and will not perform its download routine if any of the processes, which are mostly for traffic inspection, analysis, and debugging, are detected running in the affected system:
- chkencap.exe
- dbg.exe
- fiddler.exe
- HipsDaemon
- hookme.exe
- httpanalyze
- networktrafficview.exe
- sniff.exe
- softice.exe
- tcpmon
- windgb.exe
- wireshark.exe
- wsockexpert
Defense Against Malicious Attacks
Indicators of Compromise
SHA-256 | Trend Micro Pattern Detection |
076b8a238c17ea3a0259446ff959fffdb9d20d7cda1ffe544e110f15a39ce479 | PUA.Win32.BoxMini.A |
3c4b81990a3be7196a112598247e10d46a4e5abc47dc80ff45f238694ef2cf95 | PUA.Win32.BoxMini.A |
ea73dd57209fd6f744f58af02f09cc416b3341c068aed21540e27f9471860626 | PUA.Win32.BoxMini.A |
83991f45954c0fa063bd946ef3ec298563d24db08616620af9980e3bbeae7b31 | Trojan.JS.TWINFLOWER.A |
01671d8a04b832523b9c7c6feda22179ce197860cd37b9e6cf2ae12cae1bb49b | TrojanSpy.JS.TWINFLOWER.A |
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Recent Posts
- Ransomware Spotlight: Ransomhub
- Unleashing Chaos: Real World Threats Hidden in the DevOps Minefield
- From Vulnerable to Resilient: Cutting Ransomware Risk with Proactive Attack Surface Management
- AI Assistants in the Future: Security Concerns and Risk Management
- Silent Sabotage: Weaponizing AI Models in Exposed Containers