Troystealer malware: What it is, how it works and how to prevent it | Malware spotlight

We are living in an era where malware is part of our daily lives. Emergent campaigns are increasing, each more sophisticated and harder to detect than the last. Malware can reveal itself through different abnormal behaviors, including a giant wave of annoying ads flooding your screen, your system crashing, blocks or repeatedly showing a BSOD (blue screen), loss of space on the disk, a strange increase in system activity on the internet and so on.

In this case, the Troystealer malware executes several tasks. It infects new devices, causing degradation in the performance of the computer — the CPU execution rate increases exponentially. This happens because the malware collects sensitive data from several points, such as passwords saved in web browser databases, configuration files of specific and target software, and other kinds of tasks that require high processing. 

AWS Builder Community Hub

Figure 1 shows the described scenario: Troystrealer execution on the infected device: Systemlanager (32 bit).exe.

Figure 1: Troystealer malware using a high CPU rate during its execution (collecting data from disk)

Troystealer in-depth

The threat was initially detected by on Jun 12th, 2020. It was seen as a new stealer in town which targeted Portuguese internet users, and no other samples had been analyzed before.


Figure 2: First report about Troystealer malware targeting Portuguese internet users

This piece of malware was disseminated via phishing campaigns with a template in the Portuguese language and related to a problem in the victim’s banking account (the decoy).


Figure 3: Troystealer template disseminated via email (Segurança-Informática)

The malware is attached to the distributed email. When executed, it takes advantage of the process injection technique to run a new binary after several rounds of deobfuscation. The high-level diagram of this threat is presented below.


Figure 4: Troystealer (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Pedro Tavares. Read the original post at: