1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Beginto Activity

System Infected: Trojan.Beginto Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects activity of Trojan.Beginto

Additional Information

This malware is composed of 3 components:
1. An HTML file
2. The JAR file
3. The DLL file located inside the JAR file.

The HTML file is responsible in loading the malicious JAR file. it also contains a BASE64 encoded shell code which will be used by the JAR file.

The JAR file has 2 DLL files located inside the package (main.dll and main64.dll). Both DLL file have export method called Java_Main_inject.

When the JAR file is loaded, it will decode the BASE64-encoded shell code. It will then load the appropriate DLL (main.dll for 32-bit and main64.dll for 64-bit Windows) and call the Java_Main_inject.

The DLL will then create a new notepad.exe process and then inject the malicious shell code to it.

The shell code connects to 58.64.178.77 TCP port 7998 to download another shell code which will also be injected to the notepad.exe process.

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube