Threat Database Trojans Grobios Trojan

Grobios Trojan

By GoldSparrow in Trojans

The Grobios Trojan was associated with attacks carried out in May 2018. These attacks distributed the Grobios Trojan by using the RIG Exploit Kit, which, like most exploit kits, takes advantage of vulnerabilities in visitors' computer systems to install the Grobios Trojan and carry out malware attacks. The RIG Exploit Kit was installed on compromised websites and then delivered to the visitors of those websites through an exploit involving unsafe advertising. The Grobios Trojan was delivered to the victim' computers in the form of a damaged SWF file (Adobe Flash), which installed the Grobios Trojan on the victim's computer and initiated the attack. You need to protect your data from threats like the Grobios Trojan by installing a strong security program that is fully up-to-date and avoiding the websites associated with these attacks.

The Grobios Trojan Has a Very Effective Self-Protection

One aspect of the Grobios Trojan that attracted attention from PC security researchers is that the Grobios Trojan seems to have been created to include advanced obfuscation features and self-protection measures designed to prevent the execution of the Grobios Trojan on virtual environments or computers using debugging features. Once the Grobios Trojan is installed, it will connect to Command and Control servers and receive commands to carry out on the infected computer. The Grobios Trojan installs itself to the following path:

C:\Users\\AppData\Google\v2.1.13554\[random name].exe

The Grobios Trojan also will deliver copies of itself to the Program Files directories, disguising itself as a copy of the Google Chrome Web browser. The Grobios Trojan installs itself in a way that runs automatically when the affected computer system starts up. Once the Grobios Trojan has been installed, the Grobios Trojan will check for virtual desktop environments and analysis tools. The Grobios Trojan performs a series of checks for the following:

Oracle VirtualBox, Parallels, Xen, VMware, Hyper-V, QEMU, PacketSniffer, FileMon, WinDbg, Process Explorer, OllyDbg, SmartSnifff, cwmonitor, Sniffer, Wireshark, and Regmon

The Grobios Trojan also will check for anti-virus programs, as well as for sandbox environments on the affected computer. The Grobios Trojan searches for keywords associated with these components and also for modules and DLLs that monitor the system memory. These techniques allow the Grobios Trojan to run undetected on the victims' computers. Once the Grobios Trojan has been installed, it can be quite difficult to detect and remove.

How the Grobios Trojan Infection Works

The Grobios Trojan and similar Trojans can be used for a variety of tasks. The Grobios Trojan can be controlled remotely from its Command and Control servers, allowing criminals to take over the victim's computer. The Grobios Trojan can be used to open ports to allow easier access to the infected computer, connect to a remote server, transfer files, and terminate file processes on the infected computers. Threats like the Grobios Trojan are rarely installed all by themselves, and if the Grobios Trojan has been installed on a computer, it is highly likely that the Grobios Trojan will be used to install other malware, which may range from keyloggers and spyware to threatening components used to collect or destroy data.

Preventing the Grobios Trojan Attacks

The best protection against threats like the Grobios Trojan is to have a good security program that is fully up-to-date running in real time. If you monitor the network transmissions and active software on your computer, it is possible to realize if a Grobios Trojan attack is being carried out on your computer. If this is what is happening, it is important to start up the affected computer in Safe Mode to prevent the Grobios Trojan from running automatically and then use a strong security program to perform full scans of the affected computers and remove the Grobios Trojan and other threats.


Most Viewed