Taurus Loader

The cybercriminals behind the Taurus Loader threat (also tracked as Taurus Stealer) are continuing to rapidly change and evolve the way their threatening creation is being delivered. Taurus possessed impressive evasion, anti-detection, and anti-analysis techniques, even in its initial versions. However, since then, the hacks have modified each method that has been uncovered by infosec researchers, keeping Taurus as relevant and dangerous as possible.

The latest innovation, spotted by the researchers at Minerva Lab, includes tricking unsuspecting users into downloading and executing the threat themselves. The Taurus operators have set a bunch of websites hosting an instructional GIF. Users who wish to obtain illicit or cracked versions of copyrighted applications by searching Google risk landing on one of these lure websites. The GIF will then guide the visitor through the steps required for the supposed installation of the desired software product. Unbeknownst to the users, they have been checking the prerequisites for the delivery and execution of the Taurus loader on their systems. It should be noted that the hackers have put up CAPTCHA checks to protect the site's delivering the threat from being accessed by automated tools deployed by researchers.

Once inside the device, Taurus will run through its various checks to determine if the system is safe to proceed with its harmful functionality. The threat checks the locations of the user and will not initiate in any of the current or past CIS countries - Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine. It uses an anti-emulation technique involving the Windows API SetErrorMode, employs a computation-based anti-analysis technique by calculating the sum of the Basel problem and more.

New Taurus infections are still being detected almost daily, despite the threat being thoroughly analyzed in multiple research reports published by several security vendors. It seems that with the rapid tweaks of the threat itself and the integration of new infection vectors, the cybercriminals have ensured that Taurus is staying in power within the malware landscape.