Chronodx – A loader and JS banking trojan that runs silently in the background and waits for a Chrome launch. Chrolog – Steals passwords from Google Chrome by exfiltrating the database to the C2 through HTTP. Also capable of capturing a screenshot and displaying it in full screen to hide malicious tasks running in the background. Mtps4 – Connects to the C2 and waits for incoming PascalScripts. Online – Fingerprints the victim and writes a registry key. Chrome extensionsĪvast says they have seen five different malicious Chrome browser extensions installed on victim's devices, including: Finally, all extensions are launched with the proper arguments. 
The final stage is undertaken by instructions.js, which fetches the Chrome extensions and installs them on the victim’s system. The Python loader chain unfolds in memory and involves loading multiple scripts, shellcode, and Delphi DLLs until everything is in place for executing the final payload within a Python process.
Connect to C2 and download 32bit and 64bit _init_.py scripts along with two encrypted payloads. Execute unrar.exe command with the password specified as an argument to unpack python32.rar/python64.rar. Write the path of the newly created extensions folder to HKEY_CURRENT_USER\\Software\\Python\\Config\\Path. Download password-protected archives such as python32.rar/python64.rar and unrar.exe to that extensions folder. Check for Internet connection (using ). Meanwhile, the install.js script performs the following tasks: 
The sched.js script adds persistence by creating a Scheduled Task and a Startup link, and sucesso.js is responsible for reporting the status to the C2. The MSI installer contains three malicious JavaScript files (install.js, sched.js, sucesso.js) that prepare the Python environment for the next stage loader.
0 kommentar(er)
