Another example of using .Net to employ legit apps in a malicious way; in this instance Fiddler and JSON. Things that caught by eye from the detailed Zscaler analysis are: Once executed, the installer will attempt to download the following three components on the victim's machine: •syswow.exe - This is the main Infostealer payload that steals the banking credentials •FiddlerCore3dot5.dll - Fiddler Proxy Engine for .NET applications. This is a legitimate .NET Class library file that the malware authors are using in the main Infostealer functionality •Newtonsoft.Json.dll - Open source JSON framework for .NET applications. This is a legitimate .NET Class library file that the malware authors are using for parsing Command & Control (C&C) server response data and converting it into XML format The above files are downloaded in the windows system directory For other versions of Windows(non-XP), the malware will not create an autostart registry key. However, in order for the Fiddler proxy engine to work properly the malware will install a Fiddler generated root certificate before starting the proxy engine. Hence the need to monitor file creation in the Windows system directories and protect root CA certificate registry keys.
