The new spam campaign contains a .zip file as an attachment. The contents of the email are carefully crafted to lure victims using social engineering techniques. The spam email may look like this:<\/p>\n
![\"1\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-1.jpg\")
<\/p>\n
The attackers also send fake emails appearing as WhatsApp content to maximize their\u00a0outreach.<\/p>\n
![\"2\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2-3.png\")
<\/p>\n
When an\u00a0unsuspecting user clicks on the autoplay button, the malware\u00a0will automatically download from a\u00a0compromised website and execute.\u00a0Upon execution it shows an error message to make the victim believe that the file cannot run, but in the background it is busy.<\/p>\n
![\"3\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/3-3.png\")
<\/p>\n
<\/p>\n
Nivdort acts in three cycles.<\/p>\n
First cycle<\/strong><\/h2>\nIn the first cycle, the malware deobfuscates the packed content, encrypted strings, Windows registry, and API. To decrypt the content, it generates a decryption table from a single DWORD, which will decrypt other contents. The code flow follows:<\/p>\n
![\"4\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/4-3.png\")
<\/p>\n
This decryption table will decrypt strings such as\u00a0dropped filename, run registry entry, service entry etc., as shown below:<\/p>\n
![\"5\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/5-4.png\")
<\/p>\n
Second cycle<\/strong><\/p>\nIn the second cycle, the malware\u00a0first copies itself with the name as decrypted in the first cycle and then creates a service entry, as shown below:<\/p>\n
![\"6\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/6-3.png\")
<\/p>\n
The malware can also disable the infected user\u2019s firewall notifications from the Windows Security Center with the following registry modification:<\/p>\n
Adds value: “FirewallDisableNotify”<\/em><\/p>\nWith data: “1” <\/em><\/p>\nTo subkey: HKLM\\SOFTWARE\\Microsoft\\Security Center<\/em><\/p>\nThe malware next\u00a0creates an autostart registry entry to make sure its copy will be executed upon rebooting:<\/p>\n
![\"7\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/7-2.png\")
<\/p>\n
<\/p>\n
Third cycle<\/strong><\/p>\nThe third cycle collects information such as computer name, IP address, and software and hardware configuration. It can also exfiltrate a victim\u2019s login credentials and credit card data by recording the keystrokes, and can receive further instructions from the attacker:<\/p>\n
![\"17\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/17-1.png\")
<\/p>\n
![\"9\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/9-2.png\")
<\/p>\n
It also connects to compromised websites such as\u00a0prettyguard.net and buildingsuccess.net, which are being used by the malware for running ad campaigns. The code snippet below shows this:<\/p>\n
![\"10\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/10-2.png\")
<\/p>\n
![\"11\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/11-2.png\")
<\/p>\n
These domain names are generated randomly as\u00a0a combination of two strings, such as\u00a0building + success [.] net, pretty + guard [.] net, from an array of strings decrypted in the first cycle. The array may look like:<\/p>\n
![\"12\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/12-1.jpg\")
<\/p>\n
When we tried to visit these domains, we\u00a0were redirected to other malware-hosting websites. In this case, cigarettepresident.net redirected to sso.anbtr.com. These websites are flagged by Google Chrome and VirusTotal:<\/p>\n
![\"13\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/13-2.png\")
<\/p>\n
![\"14\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/14-2.png\")
<\/p>\n
McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this infostealer trojan as Trojan-FHSQ![Partial hash], Trojan-FHSI![Partial hash], and Trojan-FHSA![Partial hash] with DAT Versions 8065 and later.<\/p>\n","protected":false},"excerpt":{"rendered":"
During the past\u00a0couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file…<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,180],"coauthors":[3973],"class_list":["post-47626","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-malware"],"acf":[],"yoast_head":"\n
Nivdort: Data-Stealing Trojan Arrives via Spam | McAfee Blog<\/title>\n<meta name=\"description\" content=\"During the past\u00a0couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Nivdort: Data-Stealing Trojan Arrives via Spam | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"During the past\u00a0couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-02-18T18:21:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T02:43:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"780\" \/>\n\t<meta property=\"og:image:height\" content=\"609\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Nivdort: Data-Stealing Trojan Arrives via Spam\",\"datePublished\":\"2016-02-18T18:21:58+00:00\",\"dateModified\":\"2025-06-04T02:43:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/\"},\"wordCount\":479,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-1.jpg\",\"keywords\":[\"computer security\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/\",\"name\":\"Nivdort: Data-Stealing Trojan Arrives via Spam | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-1.jpg\",\"datePublished\":\"2016-02-18T18:21:58+00:00\",\"dateModified\":\"2025-06-04T02:43:46+00:00\",\"description\":\"During the past\u00a0couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-1.jpg\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-1.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Nivdort: Data-Stealing Trojan Arrives via Spam\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Nivdort: Data-Stealing Trojan Arrives via Spam | McAfee Blog","description":"During the past\u00a0couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Nivdort: Data-Stealing Trojan Arrives via Spam | McAfee Blog","og_description":"During the past\u00a0couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-02-18T18:21:58+00:00","article_modified_time":"2025-06-04T02:43:46+00:00","og_image":[{"width":780,"height":609,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-1.jpg","type":"image\/jpeg"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Nivdort: Data-Stealing Trojan Arrives via Spam","datePublished":"2016-02-18T18:21:58+00:00","dateModified":"2025-06-04T02:43:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/"},"wordCount":479,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-1.jpg","keywords":["computer security","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/","name":"Nivdort: Data-Stealing Trojan Arrives via Spam | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-1.jpg","datePublished":"2016-02-18T18:21:58+00:00","dateModified":"2025-06-04T02:43:46+00:00","description":"During the past\u00a0couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-1.jpg","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-1.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/nivdort-data-stealing-trojan-arrives-via-spam\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Nivdort: Data-Stealing Trojan Arrives via Spam"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/47626","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=47626"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/47626\/revisions"}],"predecessor-version":[{"id":215022,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/47626\/revisions\/215022"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=47626"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=47626"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=47626"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=47626"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/p>\n<\/p>\nIn the second cycle, the malware\u00a0first copies itself with the name as decrypted in the first cycle and then creates a service entry, as shown below:<\/p>\n
<\/p>\n
The malware can also disable the infected user\u2019s firewall notifications from the Windows Security Center with the following registry modification:<\/p>\n
Adds value: “FirewallDisableNotify”<\/em><\/p>\n With data: “1” <\/em><\/p>\n To subkey: HKLM\\SOFTWARE\\Microsoft\\Security Center<\/em><\/p>\n The malware next\u00a0creates an autostart registry entry to make sure its copy will be executed upon rebooting:<\/p>\n <\/p>\n Third cycle<\/strong><\/p>\n The third cycle collects information such as computer name, IP address, and software and hardware configuration. It can also exfiltrate a victim\u2019s login credentials and credit card data by recording the keystrokes, and can receive further instructions from the attacker:<\/p>\n It also connects to compromised websites such as\u00a0prettyguard.net and buildingsuccess.net, which are being used by the malware for running ad campaigns. The code snippet below shows this:<\/p>\n These domain names are generated randomly as\u00a0a combination of two strings, such as\u00a0building + success [.] net, pretty + guard [.] net, from an array of strings decrypted in the first cycle. The array may look like:<\/p>\n When we tried to visit these domains, we\u00a0were redirected to other malware-hosting websites. In this case, cigarettepresident.net redirected to sso.anbtr.com. These websites are flagged by Google Chrome and VirusTotal:<\/p>\n McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this infostealer trojan as Trojan-FHSQ![Partial hash], Trojan-FHSI![Partial hash], and Trojan-FHSA![Partial hash] with DAT Versions 8065 and later.<\/p>\n","protected":false},"excerpt":{"rendered":" During the past\u00a0couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file…<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,180],"coauthors":[3973],"class_list":["post-47626","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-malware"],"acf":[],"yoast_head":"\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n