Home > News content

Trojan program with the help of game download station again spread cloud control malicious module

via:CnBeta     time:2020/7/9 22:55:44     readed:86

Recently, firefly engineers found that the Trojan program "commander" with the help of "vagrant star sky" and "knight errant network" download station, once again spread widely. Users through the above download station to download and run the high-speed Downloader, it will be infected with the Trojan. At present, the latest version of firefly has intercepted and killed the Trojan horse program and its push malicious module.

visit:

Ali cloud new user welfare special cloud server ECS as low as 102 yuan per yea

Tianyi cloud mid year cloud energy saving host 1c2g 92 yuan / year real name registration gives 8888 yuan gift package

[news]

Recently, firefly engineers found that the Trojan program "commander" with the help of "vagrant star sky" and "knight errant network" download station, once again spread widely. Users through the above download station to download and run the high-speed Downloader, it will be infected with the Trojan. At present, the latest version of firefly has intercepted and killed the Trojan horse program and its push malicious module.

Users will not be able to find out the location of these softwares, such as "downloaders" and "downloaders", which can not be found by the users when they are running "downloaders" and "downloaders", etc Pop up window advertising and other malicious modules.

It is worth noting that as early as March this year, the Trojan horse program was intercepted and disclosed by the firefly because it was transmitted through the downloader of "dote" download station (see the report "unlimited rogue promotion 2345's download station is spreading Trojan horse program").

All along, the virus spread through the download station has been constantly, fire down on the download station security issues have also been repeatedly reported, disclosed, and even launched the function of intercepting download station downloader, to help users avoid risk. Here, fire velvet engineers remind the vast number of users, must be through the official website and other formal channels to download software, careful use of download stations and other third-party downloaders download software.

Attached: [analysis report]

1、 Detailed analysis

Recently, flint found commander malicious programs spread again in large areas, this time we found that the malicious programs will be launched commander rogue software including: efficient screenshot software and Fengyun PDF reader. As with the rogue software we exposed before, the above two software was installed silently, in the start menu, desktop and other locations did not create a related startup shortcut, resulting in users difficult to find the existence of the software. Through tracing the source, we found that the above rogue software will be promoted with the help of Traveller Star (hxxp://down.gamersky.com), Ranger Network download station (hxxp://down.ali213.net). Malicious behavior propagation and execution processes are shown below:

Flowchart

Even more interesting, the value of the downloader file used by the Ranger Star is exactly the same as hash value. Downloader file information, as shown below:

Downloader file information

Downloader interface

Downloader interface

As shown above, the downloader interface will induce users to click the "Recommended Installation" button, and there is no tick to cancel the software promotion. After clicking the "recommended installation" button, in addition to the software already given above, there will be silent promotion and installation of more rogue software, such as: Fengyun PDF reader, efficient screenshot software and so on. Downloader part of the promotion configuration, as shown below:

Some configuration information of promotion software

This time, the commander malicious program is mainly launched through Fengyun PDF reader and high-efficiency screenshot software installation package. After installing the above rogue software, no relevant startup shortcut is created in the start menu, desktop and other locations, which makes it difficult for users to find the existence of the software. The file information of rogue software is shown in the following figure:

Efficient screenshot software installation package file information

Fengyun PDF reader installation package file information

commander malicious programs that have been put in are basically the same as the rogue promotion function described in the previous fire velvet release report, will be issued to execute the advertising pop-up module, and can update the commander malicious programs in real time. Malicious cloud control configuration, as shown below:

Promotion strategy of advertisement pop-up window

Take Fengyun PDF as an example to compare with the data of commander module, as shown in the following figure:

Homologous module data

The pop-up content of advertisements issued by Fengyun PDF and high-efficiency screenshot software (the content that easily causes discomfort has been filtered), as shown in the following figure:

Advertisement pop-up window

204104oddxz4xdh56rkt7h.png.thumb.jpg

Advertisement pop-up window

2、 Appendix

Virus hash

204105l7b86oaim3kp664x.png.thumb.jpg

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments