Threat behavior
Upon launch, it downloads and installs files from the following URLs:
- http://195.20.16[.]153/WatchDog.exe (detected as Trojan:MSIL/Anagra.R)
- http://195.20.16[.]153/WinRing0x64.sys (vulnerable driver)
- http://195.20.16[.]153/conhost.exe (detected as Program:Win32/Wacapew.C!ml)
- http://195.20.16[.]153/svchost.exe (detected as Trojan:MSIL/LummaStealer.CCFY!MTB)
- http://195.20.16[.]153/xmrig.exe (cryptocurrency miner)
- http://45.15.156[.]43/recovery.dat (data file)
- http://45.15.156[.]43/recoverysol.dat (data file)
- http://joxi[.]net/4Ak49WQH0GE3Nr.mp3 (detected as Trojan:Win32/LummaStealer.CCFS!MTB)
While the URLs are unavailable at the time of writing, with previous telemetry the following could be assessed:
- WinRing0x64.sys is a vulnerable driver from OpenLibSys
- recovery.dat could be a data file
- recoverysol.dat could be a data file
- xmrig.exe is a cryptocurrency miner
- WatchDog.exe could be Trojan:MSIL/Anagra.R
- conhost.exe could be Trojan:MSIL/Tasker!MTB
- svchost.exe could be Trojan:MSIL/LummaStealer.CCFY!MTB
- 4Ak49WQH0GE3Nr.mp3 could be Trojan:Win32/LummaStealer.CCFS!MTB
Prevention
Guidance for individual users
Keep your operating system and antivirus products up to date.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection. For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
Guidance for enterprise administrators
Following the mitigation steps below can help prevent malware attacks:
- Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown variants.
- Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
- Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times.
- Turn on passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA. Refer to this article for the different authentication methods and features.
- Turn on attack surface reduction rules to prevent common attack techniques used in infostealer infections. Attack surface reduction rules are sweeping settings that stop entire classes of threats including, infostealers, credential theft, and ransomware. The following bullet points offer more guidance on specific mitigation advice:
- Turn on PUA protection in block mode
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block execution of potentially obfuscated scripts
