[German]German blog reader Christian contacted me yesterday by mail because he encountered a virus (Trojan) at some of his customers that was not detected by Microsoft Defender so far. There is not much information about the virus yet – unfortunately there is no scan available at VirusTotal. But I'll post the information Christian has already found out – maybe someone of you will find more information.
Advertising
Here is the text that blog reader Christian sent me. He found the new virus on 3 PCs (two independent customers). The goal of the malware is to spy on Internet accounts (including those of Paypal and banks). What Christian has found out so far is:
- That the malware was written in Python.
- The malware stores itself in %appdata% using a random combination of letters as the filename.
- The malware shows up in Windows autostart as a program called "Python*" (* stands for something). The name of the exe file is ctfmon.exe (based on the Windows system file).
- The malware sets up a scheduled task with one of a random sequence of uppercase and lowercase letters as its name. The task runs daily and loads an update. .
- The malware/virus can be seen in Task Manager as msbuild.exe with approximately 80 MB of memory usage.
- The virus listens on localhost:8000 and enters itself in the system (Internet Explorer -> Internet Options) as a proxy for https and http. Firefox uses this proxy by default.
This malware, writes Christian, is not yet found by MS Defender. The malware first appeared on 09.04.2021, although its origin is unclear. It is suspected that the malware spreads via email, and it is possible that it spreads locally in the network. Christian assumes the latter, because he found the malware on two computers at one of his customers.
The malware redirects all (Internet) traffic (https and http) via itself, so it can siphon off the data exchanged there. The reason why the malware was noticed in the first place: For some time now, the certificate has probably expired, as Christian wrote to me. As a result, error messages appear in the browser.
His customer No. 1 got suspicious and contacted him. The second customer was informed by the bank, because unusual transactions were noticed. After publishing the German edition of this blog post, another blog reader reported, that he found the malware also on a system within a smaller enterprise.
Currently I have no more details nor Virus Total-reports to share. If somebody find some installs of this malware, further details may be posted as comments. Thanks.
Advertising
Additional details
In the meantime, blog reader Volker B. has sent me new information (thanks for that). Volker found the malware on a customer's system and wrote me about it..
I just came from the customer, found exactly what was described here. I have backed up the files from the appdata. What is interesting is how the customer came up with this. There was a certificate message, which he always answered with no and also could no longer access the Internet (see screenshot below, it's a German customer).
Volker writes: The process hung in the autostart, killed it, deleted the folder and removed the proxy from the settings, it runs with the Internet again. The malware was probably running since Wednesday 26.05. on the system.
He uploaded the file to virustotal.com (I uploaded it again), nothing was detected here.
I've uploaded the file now to Microsoft's site for suspicious files.
Sounds to me like a typical email attachment attack scenario. What I do not understand here: to install a root certificate there should be admin credentials involved.
So my question here would be: were the users adminis of those local machines?
If yes there is a very nasty other problem t hand in the first place causing this problem: users are admins which is bad, very bad
If no than everyone should run and start demanding a fix for this mess and then go script themselves a task hunter.