![]() Although clipper malware isn’t necessarily a new threat, there have been limited public reports focused on clipper malware found in mobile applications. This report includes analysis of a recently discovered clipper malware targeting Windows, through which it delivers the Supreme botnet mining client and the Poullight information stealer. NET and has 28 out of 72 detections in VirusTotal at the time of writing. When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain downloadbtchitme. At the time of analysis this domain was found to originate from an IP address in Moscow. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files.įigure 1: Malicious files hosted in an open directory listingĪs this sub-domain was open and accessible, a further lookup of the root domain revealed the following builder page shown below. This includes instructions for contacting the bot operator via Telegram, and selecting additional functions, in order to build and download the client component. ![]() Note that there are references to “NetHitBot” and “BTCHit”. This domain was registered on 26 June 2020. This coincides with the dropper PE file date/time compilation date of 27 June 2020, which suggests that the malware, as well as the infrastructure to support it, has been built very recently.
0 Comments
Leave a Reply. |