Attackers Abuse Security Products to Install "Bookworm" Trojan

Discussion in 'malware problems & news' started by ronjor, Nov 11, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The legitimate executable dropped by the threat is a component of Kaspersky Anti-Virus (ushata.exe) or a component of Microsoft Security Essentials (MsMpEng.exe). These executables are used to perform DLL side-loading and load “Loader.dll.”

    Loader.dll then decrypts the “readme.txt” file to deploy a shellcode, which in turn decrypts Bookworm’s main component (Leader.dll) and various other DLLs. Experts have pointed out that these DLL files, each designed to provide specific functionality, are not written to the disk — the malware operates only in the memory.

    Great example of using legit signed .exe's to perform reflective dll loading into memory. Question is directory where legit .exe's are dropped to?
     
Loading...