McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums.
We have analyzed the new version of the tool and it contains new functionality. These include:
- PDF downloader
- Password generator
- Security tips
The user has several options when creating a PDF downloader, though all of these options create very similar PDF files.
Upon opening the file with our FileInsight tool, we can clearly see the PDF using the OpenAction function to invoke PowerShell, which will download and execute a file.
A strange addition to the toolkit is a password-generating component.
This will create a randomly generated string to be used as a password for any account. Users can save this password on their machines. Upon clicking the button, a text file is created that contains a clear-text unencrypted copy of the password.
This is not very secure.
The oddest addition to Trillium is the inclusion of several security tips to help users avoid malware infections. We find this ironic because the purpose of the software is to breach the security of user environments.
There are various tips on antiphishing, downloading, uninstalling vulnerable software, and password use.
We have seen this toolkit used in the wild to target a bank in the Asia-Pacific region. This email contains a malicious PowerPoint file.
The attachment is a .PPSX file, a PowerPoint Show file starts the app in slideshow mode. This trick has been used many times to mask what is happening in the background.
The .PPSX file contains an embedded VBS.Downloader Trojan created using the Trillium 4.0 toolkit. A feature in PowerPoint can execute embedded OLE objects; the attacker has taken advantage of this by creating a custom action to execute the embedded VBS.Downloader when the PowerPoint slide is opened. (Click here for more information on the custom animation feature.)
The VBS file downloads a password-stealing Trojan that targets the following software:
The password stealer has keylogging functionality and will create a log file in the %APPDATA%\LOGS folder in the format DD-MM-YYYY. The malware encrypts these log files with XOR 0x9D and then adds 0x24. In order to decrypt these, we need to reverse this algorithm. So we sub 0x24 and then XOR this with 0x9D.
The malware attempts to contact the following servers:
McAfee has the following signatures for the Trillium malware:
We recommend that our customers read this post on best practices. The advice should help mitigate some of the infections seen by malware created by this toolkit.