China uses new Trojan Yahoo

image

Cybersecurity researchers at Check Point have discovered a new campaign attributed to the Chinese hacker group Tropic Trooper, which uses a new loader called Nimbda and a new variant of the Yahoo Trojan.

The Trojan is part of the SMS Bomber tool. Infection begins with downloading a malicious version of SMS Bomber with an additional code that is embedded in the process notepad.exe. The downloaded executable is actually a Nimbda loader that uses the SMS Bomber icon and uses the bomber as an embedded executable.

In the background, the loader implements the shell code in notepad.exeto access the GitHub repository, get the executable file, decode it, and then run using the process in dllhost.exe.

This payload is a new variant of Yahoo, which collects data about the host and sends it to the C2 server. The final payload is encoded into a JPG image using steganography . The information collected by the Trojan includes the following:

  • The SSID of the local wireless network closest to the victim’s device;
  • Computer name;
  • MAC address;
  • OS version;
  • information about the installed antivirus software;
  • data on the availability of WeChat files
    and Tencent .

Moreover, Yahoo encryption is a special implementation of AES, which performs a sequence of inverted cycles twice to complicate the analysis of the attack by specialists.

Start a discussion …