I recently published a note on the degree of sophistication of the malware, commenting on some details of a rootkit that had infected millions of computers around the world, in this sense, this time I will refer to a Trojan analyzed by researcher Steven K from XyliBox.
Malware is designed to stay camouflaged as if it were the legitimate antivirus of the victim. It all starts with a file called Flash-Player.exe, once it is run some Windows language checks are performed and a false alert:
Meanwhile various modifications are made, check which antivirus is installed and some files are stored in the system folders, such as a TXT that contains a list of IPs of infected machines that create a P2P network for the exchange of malware and other files.
As you can see in the image, the false message requests a restart to remove a suspected virus. When it restarts, the system loads in safe mode, the victim only sees a black screen and legitimate antivirus is automatically uninstalled.
When everything returns to normal it loads next to the clock a fake icon that simulates being the antivirus that was previously installedThey even simulate signature updates and when clicked a message is displayed as if everything is fine. The objective is precisely that, to make the victim believe that the system is protected when in fact it is completely infected.
In XyliBox you can find screenshots and more details about the attack.
Undoubtedly, it is something very ingenious that seeks to keep the computer infected as long as possible, everything happens in a few minutes and is something that affects the best-known antivirus solutions on the market. Some may wonder why antivirus programs do not detect it initially, the problem is that when Trojans are new they are more difficult to detect … security remains in the hands of the user and if cheated, download and install a fake program, anything can happen.
See also: Making a malicious PDF undetectable. Beware of accepting downloads from these bogus players.