WiryJMPer Dropper

Cybersecurity experts have detected a new Trojan dropper in the wild. It goes by the name ‘WiryJMPer’ and, so far, it has been used to deliver one particular malware strain, the NetWire RAT. The purpose of Trojan Droppers is to deliver an embedded payload and assisting it when it comes to evading sandboxes and anti-virus engines. Malware developers tend to use a wide range of tricks to increase their Trojan Dropper’s odds of beating the security tools their target may use – in the case of the WiryJMPer Dropper, the corrupted file is loaded with junk code, as well as with useless functions that iterate through random sections of the code without doing anything meaningful.

A Basic Dropper Being Used to Deliver a Threatening Remote Access Tool

Despite being able to stay hidden from the eyes of malware researchers for at least a few months, the verdict is that the WiryJMPer Dropper is certainly not a state-of-the-art Trojan. It packs very basic code obfuscation and techniques and also applies some social engineering tricks to reduce the victim’s interaction with the software. Currently, the only users infected by the WiryJMPer Dropper and the payload it brings are likely to be users of the ABBC Coin Wallet. This is a legitimate tool, and it will work just fine if you download it from an official and trustworthy source. However, the authors of the WiryJMPer Dropper are hosting bogus copies of the ABBC Coin Wallet that serves as a host of the Trojan dropper. It is safe to assume that the user group that the WiryJMPer Dropper is targeted to currently is going to be crypto-currency users.

Crypto-Currency Investors are the Current Targets of the WiryJMPer Dropper

If the users end up executing the fake ABBC Coin Wallet installer on their computers, they may see several swiftly flashing program windows immediately. It is not known if this action is intended or not, but you can rest assured that this will not happen if you attempt to run an unaltered copy of the ABBC Coin Wallet. The fake installer will then proceed to launch the legitimate ABBC Coin Wallet installer, but it also will begin loading the NetWire RAT files in the background. During this period, it also will check for the presence of certain strings, processes, and Registry entries associated with the activity of various virtual machine software and anti-virus engines. If the Trojan dropper does not detect a sandbox environment or the presence of malware analysis tools, it will proceed to drop the NetWire RAT’s files to ‘%APPDATA%,’ and then place an ‘.LNK’ file in the Startup folder to gain persistence.

It is likely that the WiryJMPer Dropper will be used in future campaigns that may rely on a different malware strain. At the moment, it is recommended to protect yourself from this threat by using a state-of-the-art anti-virus software suite, as well as avoiding to download files from non-trustworthy sources.