A never-before-seen credential-stealing Trojan has been uncovered, found to be backdooring machines and exfiltrating large amounts of information.
Written in Delphi coding language (should we call it the Oracle at Delphi?), the Trojan.sysscan malware is being used by a single source as the payload for attacks that repeatedly use brute-force passwords for RDP credentials, according to GuardiCore.
The malware has extensive capabilities to search and extract cookies and other credentials containing authentication details such as usernames and passwords. It appears to be targeted at banking, gambling and tax websites, and can scavenge information saved by Point of Sale (PoS) software. It also can run on every Windows version from XP through Server 2012 R2, the firm said.
“It was one of those warm summer nights, no clouds, just a bright full moon lighting the way,” said GuardiCore researcher Daniel Goldberg, setting the scene in a blog. “Someone had unknowingly stumbled upon our honeypot, completely unaware of the fact that her every move was recorded and fully analyzed. Thanks to our deception technology, we could easily reroute the attacker, making her believe she reached her real target. Something about this attack was different, though.”
The usage of Delphi, not a popular language, provides the coders with versatile frameworks that simplify their code; it allows them to use third-party libraries that perform many tasks for them, such as communication, computer scanning and metadata extraction. It’s paved the way for the malware to, unlike other types of Trojans that have a specific goal like currency mining, have broader functionality.
To collect the credentials, the malware exhaustively scans the entire C: drive of the victim and the registry, searching for cookie files, SQLite databases and registry keys that match an internal database. Once found, the data is copied and exfiltrated. If the victim does not keep personal data on the drive, the malware won’t find it.
“In none of the attacks did we observe this Trojan being dropped using an exploit, nor have we seen it packaged with any known droppers,” Goldberg noted. “This means that at this stage, prevention involves the use of strong password authentication to prevent brute-force attacks.”
So far, Trojan.sysscan is undetected by the vast majority of antivirus engines as a malicious software.
Goldberg warned, “Detection of this malware requires modern security software built for defense in depth, assuming a breach, detecting and mitigating it, for example one that can detect the search and exfiltration of sensitive data.”
Photo © Anton_Ivanov