APT reports

Myrtus and Guava, Episode 1

A few days ago, colleagues from the Belarussian antivirus company VirusBlokAda (VBA) announced they’d come across an interesting new malicious program. They published a short analysis of the program which highlighted two innovations:

1. Using lnk files to launch files from USB storage devices, a method which hasn’t been used before.

2.The malicious driver has a valid digital signature from Realtek.

The VBA article is well worth taking a look at – great research, guys!

Over here at Kaspersky, we’ve also taken a look at the malware, and we’ve also come up with a few interesting things.

First of all, the way the Trojan (which we’ve called Trojan-Dropper.Win32.Stuxnet) spreads. It infects USB storage media by creating 4 lnk files:

Copy of Copy of Copy of Copy of Shortcut to.lnk”
– launches .STORAGE#RemovableMedia#7&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

“Copy of Copy of Copy of Shortcut to.lnk”
– launches

“Copy of Copy of Shortcut to.lnk”
– launches

“Copy of Shortcut to.lnk”
– launches

~WTR4141.tmp, by the way, is the main malware file.

Strings from the Trojan code responsible for infecting USB storage media

What’s interesting is that the ID in the first two files is the unique number given to the USB device by the computer on which it’s being accessed.

Up until now, it’s been autorun.inf that’s been responsible for automatically running files from disk. This Windows “feature” has come in for heavy criticism from security experts, and, not surprisingly, has been widely used to spread malware. We classify such malware as Worm.Win32.Autorun – a classification which covers tens of thousands of threats.

But while we’ve got used, more or less, to autorun.inf malware, and learnt what to do about it, the use of lnk files is something really new. We’ll set aside the name “Linkrun”– just in case 🙂

At the moment, we’ve not drawn any final conclusion – maybe this is a real, as yet unknown vulnerability in Windows, or maybe it’s simply the latest “feature” from Redmond. Of course, Microsoft’s been informed of the problem, so we should find out what’s going on in the next couple of days.

So we’ve reached the end of episode one. Upcoming episodes feature more about the malware, and you’ll find out the reason for the post’s title. To give you a hint – it’s not because we’ve taken up gardening in our spare time 🙂

To be continued…

Myrtus and Guava, Episode 1

Your email address will not be published.



APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox