The following screenshot demonstrates some of the Windows versions capable of being detected. Windows version detection is rather detailed and individual versions are hard-coded into the malware.
The information that the malware transmits is as follows: This address did host a website which it was loading using an Iframe, making it appear like a trusted website however, at the time of writing, no content is hosted at this address. This information is then transmitted to the command & control server (C&C) alongside the list of installed programs on the infected operating system. Once the initial stage has been completed, the malicious executable begins basic operating system detection. This further indicates that the malware is either unsophisticated or was released prematurely. One interesting behavior is that it does not attempt to move the original files to a new location, instead the original executable is left in its default location. The technical analysis shows that it tends to inject itself into one of the browser processes, such as Firefox or Google Chrome, thus remaining undetected from a windows process list. In order to disguise itself, it injects itself into a running process.
#ZILLYA TROJAN INSTALL#
It will either install itself as a Windows service or by adding a special registry key that enables auto run every time an infected computer starts. Upon initial infection, the malware will configure itself to start automatically, by modifying Windows settings to allow such actions to take place. This article aims to provide a high-level overview of the malicious file and the actions it takes to remain invisible while harvesting potentially sensitive data and sending them to a command & control server. Instead, it seems to be developed by either an individual or a group of people who understand the basic concepts of malware development. There are many indications that this Trojan was developed for industrial espionage however, according to Malwarebytes (who performed deep technical analysis on Shakti), it is not sophisticated enough to be state sponsored. Want to check how good your organisation’s security is? Click here. On closer inspection, it was discovered that this type of Trojan searches for particular file types on the victim’s computer and uploads them to a central server. Shakti is a data exfiltration Trojan. It emerged a few days ago when it was sent to by one of their readers.
Perspective Risk’s Cyber Security expert Sasha Raljic explores Shakti – a Trojan threat, in this blog post. New Trojan found – Shakti modifies Windows settings to steal files
0 kommentar(er)
