APT reports

Myrtus and Guava, Episode 1

A few days ago, colleagues from the Belarussian antivirus company VirusBlokAda (VBA) announced they’d come across an interesting new malicious program. They published a short analysis of the program which highlighted two innovations:

1. Using lnk files to launch files from USB storage devices, a method which hasn’t been used before.

2.The malicious driver has a valid digital signature from Realtek.

The VBA article is well worth taking a look at – great research, guys!

Over here at Kaspersky, we’ve also taken a look at the malware, and we’ve also come up with a few interesting things.

First of all, the way the Trojan (which we’ve called Trojan-Dropper.Win32.Stuxnet) spreads. It infects USB storage media by creating 4 lnk files:

Copy of Copy of Copy of Copy of Shortcut to.lnk”
– launches .STORAGE#RemovableMedia#7&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

“Copy of Copy of Copy of Shortcut to.lnk”
– launches

“Copy of Copy of Shortcut to.lnk”
– launches

“Copy of Shortcut to.lnk”
– launches

~WTR4141.tmp, by the way, is the main malware file.

Strings from the Trojan code responsible for infecting USB storage media

What’s interesting is that the ID in the first two files is the unique number given to the USB device by the computer on which it’s being accessed.

Up until now, it’s been autorun.inf that’s been responsible for automatically running files from disk. This Windows “feature” has come in for heavy criticism from security experts, and, not surprisingly, has been widely used to spread malware. We classify such malware as Worm.Win32.Autorun – a classification which covers tens of thousands of threats.

But while we’ve got used, more or less, to autorun.inf malware, and learnt what to do about it, the use of lnk files is something really new. We’ll set aside the name “Linkrun”– just in case 🙂

At the moment, we’ve not drawn any final conclusion – maybe this is a real, as yet unknown vulnerability in Windows, or maybe it’s simply the latest “feature” from Redmond. Of course, Microsoft’s been informed of the problem, so we should find out what’s going on in the next couple of days.

So we’ve reached the end of episode one. Upcoming episodes feature more about the malware, and you’ll find out the reason for the post’s title. To give you a hint – it’s not because we’ve taken up gardening in our spare time 🙂

To be continued…

Myrtus and Guava, Episode 1

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox