MalHide Trojan

The MalHide Trojan is a threat that was first observed in May 2018. The people responsible for the MalHide Trojan attack are difficult to pin down particularly. The MalHide Trojan is mainly used to collect the computer users' online accounts and to gain remote access to infected computers. Currently, the MalHide Trojan attacks are being used to set up email relays, which allow the criminals to send email messages where the initial sender's address is obfuscated. Since spam emails are a typical way of initiating hoaxes and delivering malware, this makes it possible for the criminals to hide their real IP addresses by using compromised computers to send out emails and corrupted email attachments.

Why You Should Avoid Being Infected by the MalHide Troja

The attacks involving the MalHide Trojan will include a malicious DOC file attachment named 'Nuovo Documento.doc,' which includes embedded macros and scripts that download the MalHide Trojan onto the victim's computer. When the victim opens the corrupted file, an image appears containing the following message:

'Office 365
You are attempting to open a file that was created in an earlier version of Microsoft Office.
If the file opens in Protected View, click Enable Editing, and then click Enable Content.'

This image is designed to look like a real error alert from the Microsoft Office and is a typical trick that is used by criminals to convince computer users into allowing unsafe scripts and macros to run on their computers. These scripts will connect to a remote URL and download an executable file, which installs the MalHide Trojan onto the victim's computer.

How the MalHide Trojan Works

The MalHide Trojan's main purpose is to run an SMTP client on the infected computer. This allows a remote user to use the victim's computer to send emails, hiding the real sender's IP address. A Simple Mail Transfer Protocol relay (SMTP), runs in the background and downloads a list of email addresses and messages from a remote server. The MalHide Trojan will then send these email messages to the list of email addresses using the infected computer. The criminals have used multiple different servers relating to the MalHide Trojan. The URLs that have been associated with dropping the MalHide Trojan file onto the victim's computer include the following URLs and IP addresses:

h[tt]p://oddbods.co[.]uk/D6yd9x
h[tt]p://136.243.206[.]64
h[tt]p://166.63.0[.]27
h[tt]p://136.243.206[.]64
h[tt]p://promoclass[.]it/ACCOUNT/Invoice-161021407-Invoice-date-052518-Order-no=-06146166318

The following two IP addresses have been associated with Command and Control servers linked to the MalHide Trojan attacks:

67[.]176[.]238[.]209
C-67-176-238-209[.]hsd1.il.comcast[.]net

Some of the email addresses that have been associated with the MalHide Trojan phishing attacks include the following:

helene.valeze@wanadoo.fr
mehdi.audam@wanadoo.fr
dominique.derbord@wanadoo.fr

It is likely that many more compromised IPs, URLs, and email addresses will be associated with the MalHide Trojan as the attack is disseminated and reaches more victims.

Taking Steps against the MalHide Trojan

The MalHide Trojan is useful for carrying out attacks on corporate or government victims especially. If the MalHide Trojan manages to be installed on a business network, for example, it can be used to trick computer users into believing that they are receiving messages from management or legitimate sources within a company of institution. These attacks can, therefore, be used as part of social engineering exploits, where victims are tricked through lies into carrying out activities that they wouldn't carry out normally. If you receive suspicious email messages or suspect that your computer is infected with the MalHide Trojan, take steps to ensure that your computer is protected. Learning how to handle spam email and unsolicited email attachments is also a crucial part of your machine's protection. The best safeguard against threats like the MalHide Trojan is to have a strong security program that is fully up-to-date and operating in real time. This can monitor your network activity and intercept any activity associated with attacks like the MalHide Trojan.