Last month we looked at how our Service Operations Centre (SOC) team was dealing with potentially unwanted programmes, you can read about this here. A different proposition we often come up against is Trojans. From our 5,179 automatic security actions and 988 SOC team interventions this month, we have dealt with our fair share of trojans.
Note: An automatic security action is when our security tools directly deal with the malicious file by detecting, blocking or quarantining the file. SOC team interventions are when our SOC team manually quarantines the file as it requires deeper human intervention.
As this end-customer is subscribing to our Proactive Data Security (PDS) service, they will receive real-time threat protection from our SOC team. Meaning that when a threat is detected we will reach out and advise on the situation. On this call, our agent speaks to an online retailer who sells live-action roleplay supplies and movie prop replicas & collectables. Not only does this merchant come up against a particularly evasive trojan malware, but they also need to protect themselves from a dangerous registry cleaner.
What is a trojan?
Kaspersky describes trojans as “A type of malware that is often disguised as legitimate software”. From this definition, you can see how easily a trojan can make its way onto a device. Trojans will use an individual’s trust in a name, brand, or product to exploit their computer. Once a trojan is executed they can go about the usual malicious activity of any computer virus, install spyware, backdoors, and even steal personal information.
As this merchant is a part of our PDS service they are currently receiving real-time threat protection. Once a threat is detected they will shortly receive a call from our SOC team who will advise. Before the agent makes the call our software had already performed an automatic security action and quarantined these two files.
Note: To quarantine a file is to place it into a secure location on the device where it has no interaction with any other file or location on the host device. Our software provides its own quarantine location.
On the call, our agent tells the merchant that these files have been quarantined and explains this process. With that being said we still need to explain the files in question and help the merchants understand why this was a potential risk. The two files we need to explain are Acceclient.exe and SSDPTstub.exe, a trojan disguised as Mozilla Firefox and a programme that promises to act as a full-fledged registry cleaner. The chart below details the two pieces of malware that were dealt with on this call.
This executable file is one that when launched will act and look like Mozilla Firefox, a reputable internet browser. The issue is that it’s not actually Mozilla Firefox.
The programme itself is a browser hijacker disguised as Mozilla Firefox. Browser hijackers are a dangerous annoyance that will literally take over a user’s browsing experience. In this case, the fake version of Mozilla Firefox was made into the user’s default browser. Browser hijacking can be implemented in other ways too such as replacing the home, search, or error pages and placing unwanted advertisements throughout the user’s session. A combination of these is commonplace too.
What this means for our merchant is when a webpage is opened it will be redirected to the fake Mozilla Firefox browser. While on this seemingly safe and trusted browser the hijacker will have placed malicious code that could lead to unwanted advertisements or spyware.
Note: Spyware can be used to spy on a user’s activity on a device. This form of monitoring can lead to information being stolen or a user being blackmailed for the return of information e.g., credit card details.
This executable file downloads alongside RegClean Pro, a free registry cleaner.
A registry cleaner is a piece of software that promises to clean up the user’s Windows registry. What your Windows registry does is store low-level settings for the operating system. These low-level settings can allow a user to change how the computer behaves. For example, by changing some of these settings a user could display a custom message when the computer turns on or even hide files and programmes from the desktop, downloads, or any other location on the device.
As registry cleaners are supposed to clean up your windows registry, they go through these settings and will give you the option to remove anything they deem as unnecessary. On the surface, this can seem like an extremely useful tool. The problem is that using a registry cleaner without knowing what you’re doing or what files they suggest to remove can have long-lasting effects on the device. The most serious of these effects can be something as big as your Windows no longer booting up.
As with most infected devices, it usually starts with someone trying to solve a problem. In this instance, the end customer had been experiencing a slow computer and decided to try a registry cleaner to try to clear out some clutter. Unfortunately RegClean Pro contained SSDPTstub.exe an executable file that contains a piece of malware called a keyboard sniffer or a keylogger.
Note: A keylogger is a piece of software often used by hackers to record the keystrokes of a user. This can be useful for them to record passwords and other sensitive information belonging to the user.
The keylogger could be used to gain access to the registry cleaner it is attached to. How would it do this? With a keylogger active, it would track the strokes (input) on the keyboard. Meaning everything the end-user types into their keyboard is tracked and reported back to the hacker making it easy for them to determine when passwords are being entered. With this access a hacker can launch a backdoor attack, meaning they can get access to the system without the need for passwords or any form of authentication.
What’s the cost?
If these pieces of malware went undetected this merchant would have continuously been redirected to the fake Mozilla Firefox, leaving themselves vulnerable to adware and spyware. Without a functioning anti-virus, files like this hook onto a device and can be extremely difficult to remove. They may require hiring an external third party or purchasing a premium anti-virus to remove the files completely.
If the merchant had continued using the vulnerable registry cleaner this could have been extremely damaging. Any changes made by the hacker would have certainly required assistance from an external third party, at a cost. Unfortunately, what users usually do in situations like these is discard the device completely, losing important files and documents for the business. This can also cause a financial cost in terms of purchasing a new device.
Both pieces of malware would have almost certainly led to sensitive information, such as usernames, passwords, credit card details, and email addresses being stolen and sold on the dark web.
A key aspect of the calls our SOC team have with merchants is advising them on how to avoid these types of programmes going forward.
In terms of Acceclient.exe, it was advised to only download programmes from their official websites. In this case, if the merchant wanted to use Mozilla Firefox the browser should only be downloaded from their official website.
Registry cleaners on the other hand are a little different. A secure and trusted registry cleaner should only be operated by a user who has experience in adjusting the device’s windows registry. Here we advised if a registry cleaner was needed it should always be used by someone who has the relevant I.T knowledge.
Before our call took place the merchant was infected with multiple pieces of malware, vulnerable to keylogging and browser hijacking. They also had an extremely vulnerable registry cleaner active on their device. With our intervention, we have limited the chances of a backdoor attack occurring and made the merchant’s web browsing experience much safer!
Action Taken by SOC
The merchant had been infected with two files that appeared to have been legitimate, trustworthy programmes (trojans). As these appeared to have been legitimate the merchant may have been interacting with them on a frequent basis
These files were automatically quarantined by our endpoint software, allowing our SOC agent to study and assess the threat.
On call we advised of the threats, explained the process of removing them from the device and instructed the merchant on how to avoid these situations in the future
After our call the merchant was now operating on a more secure device, with the pieces of malware removed.
Going forward the merchant now understands the dangers of downloading software from unofficial sources.
These pieces of malware are just a small percentage of the 2,623 unique pieces of malware our security tools and SOC team have successfully identified this month. On top of this, another 942 merchants have decided to opt into the excellent real-time virus protection service we offer.
Missed our last look at the the work of the SOC team? Check it out here.