APT reports

Myrtus and Guava, Episode 1

A few days ago, colleagues from the Belarussian antivirus company VirusBlokAda (VBA) announced they’d come across an interesting new malicious program. They published a short analysis of the program which highlighted two innovations:

1. Using lnk files to launch files from USB storage devices, a method which hasn’t been used before.

2.The malicious driver has a valid digital signature from Realtek.

The VBA article is well worth taking a look at – great research, guys!

Over here at Kaspersky, we’ve also taken a look at the malware, and we’ve also come up with a few interesting things.

First of all, the way the Trojan (which we’ve called Trojan-Dropper.Win32.Stuxnet) spreads. It infects USB storage media by creating 4 lnk files:

Copy of Copy of Copy of Copy of Shortcut to.lnk”
– launches .STORAGE#RemovableMedia#7&[ID]&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~WTR4141.tmp

“Copy of Copy of Copy of Shortcut to.lnk”
– launches

“Copy of Copy of Shortcut to.lnk”
– launches

“Copy of Shortcut to.lnk”
– launches

~WTR4141.tmp, by the way, is the main malware file.

Strings from the Trojan code responsible for infecting USB storage media

What’s interesting is that the ID in the first two files is the unique number given to the USB device by the computer on which it’s being accessed.

Up until now, it’s been autorun.inf that’s been responsible for automatically running files from disk. This Windows “feature” has come in for heavy criticism from security experts, and, not surprisingly, has been widely used to spread malware. We classify such malware as Worm.Win32.Autorun – a classification which covers tens of thousands of threats.

But while we’ve got used, more or less, to autorun.inf malware, and learnt what to do about it, the use of lnk files is something really new. We’ll set aside the name “Linkrun”– just in case 🙂

At the moment, we’ve not drawn any final conclusion – maybe this is a real, as yet unknown vulnerability in Windows, or maybe it’s simply the latest “feature” from Redmond. Of course, Microsoft’s been informed of the problem, so we should find out what’s going on in the next couple of days.

So we’ve reached the end of episode one. Upcoming episodes feature more about the malware, and you’ll find out the reason for the post’s title. To give you a hint – it’s not because we’ve taken up gardening in our spare time 🙂

To be continued…

Myrtus and Guava, Episode 1

Your email address will not be published. Required fields are marked *



Focus on DroxiDat/SystemBC

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

APT trends report Q2 2023

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Subscribe to our weekly e-mails

The hottest research right in your inbox