Dr. Web, a Russian antivirus firm has recently discovered a new Trojan downloader. The malware uses a popup Windows ‘Save As’ dialog box to install malicious payloads, which have thus far all been adware.
The malware, dubbed “Trojan.Ticno.1537”, installs variety of adware together with a malicious extension for Google Chrome. According to Dr. Web, the Ticno Trojan is downloaded via a separate malware and is then packaged in a single installation file with legitimate software. Examples of the legitimate software that has been packaged with the Trojan in known attacks to date include the Amigo web browser and Tray Calendar.
It is thought that the package forms part of an affiliate program which pays for software downloads. The individual responsible for the campaign may be profiting from both the software that is installed and the ads displayed.
Should the user click save when the ‘Save As’ dialog box is displayed on the screen of his or her device, the Trojan will be downloaded and run. First of all, the Trojan evaluates the environment where it has been installed in order to verify that it is not a virtual machine. Tests are then carried out to confirm whether Python or Perl have already been installed on the device in question, together with a number of other debugging programs, folders, files and windows processes.
If the checks performed by the malware determine that detection is improbable, the file 1.zip will be saved to the device’s desktop and subsequently adware will be downloaded. Should the checks prove to be successful, Explorer will be launched and the process terminated. Although the ‘save as’ box indicates that a solitary file is being downloaded, a greyed-out link in the lower left hand corner of the dialog box can be seen. The user can see all of the adware and software that is to installed as part of the bundle by clicking on this link.
Furthermore, the malware will install a malicious Google Chrome extension – Trojan.ChromePatch.1 – and also infects the resources.pak file.
The malicious Chrome extension continues to serve unwanted adverts even when the Ticno Trojan has been deleted from the device.
Dr. Web and Symantec have now taken action to block the Ticno Trojan, however users should remain alert to the risk from downloaders like these.