Threat behavior
Attackers use several techniques to infect devices with Trojan:MacOS/Multiverze:
- Phishing emails: These are deceptive emails that contain harmful links or attachments. Clicking them can silently install malware on your device.
- Malicious websites: Simply visiting a compromised or fake website can trigger a hidden download if your browser has security gaps.
- Malvertising: This involves placing infected ads on legitimate websites or hijacking social media accounts to spread malware through sponsored posts.
- Infected software: Downloading pirated or unofficial versions of popular software can lead to infection, as attackers often bundle malware with these “free” downloads.
Once installed, Trojan:MacOS/Multiverze begins gathering valuable information from your device using various methods:
- Keylogging: Records everything you type, including passwords and credit card numbers.
- Form grabbing: Captures data you enter into online forms before it’s encrypted, such as login credentials and payment details.
- Clipboard monitoring: Watches what you copy and paste, like account numbers or passwords, and can steal or replace that data.
- Remote access (RATs): Some infostealers allow attackers to take full control of your device remotely, giving them access to all your files and activity.
- Screen captures: Takes screenshots while you’re entering sensitive information, bypassing text-based protections.
- Browser session hijacking: Steals cookies and session tokens from your browser, allowing attackers to impersonate you online without needing your password.
- File harvesting: Searches your device for documents, emails, and other files that may contain personal or business information.
- Crypto wallet theft: Targets cryptocurrency wallets by stealing private keys, enabling attackers to transfer your digital assets.
After collecting your data, Trojan:MacOS/Multiverze sends it to the attacker using methods like:
- Web requests: Uploading data to a server controlled by the attacker.
- FTP transfers: Sending files to a remote file server.
- Email: Emailing the stolen data directly to the attacker.
Trojan:MacOS/Multiverze creates the following files:
- edb.chk
- %USERPROFILE%\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cf9b8dd15ac62eba1b14417e1d2c19a9e87e381543c050c7d52ce7966679fce2.exe.log
- C:\Program Files (x86)\Google\GoogleUpdater\138.0.7156.0
- C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
- C:\Users\user\AppData\Local\Packages\Microsoft.WidgetsPlatformRuntime_8wekyb3d8bbwe\LocalState\FeedSessions\MicrosoftWindows.Client.WebExperience_cw5n1h2txyewy!Widgets!!com.msn.desktopfeed
- %TEMP%\._cache_.%SAMPLENAME%
- %ProgramData%\Synaptics\Synaptics.exe
- C:\Users\<USER>\Desktop\.program.exe
- C:\Users\<USER>\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\program.exe.log
- C:\Users\<USER>\AppData\Roaming\Dibifu_9\vshost32.exe
- C:\Users\<USER>\AppData\Roaming\Dibifu_9\IconExtractor.dll
- C:\Users\<USER>\AppData\Local\Temp\L800_x86_672HomeExportAsia_MP\e_df1g5p.cat
This malware also sets the following registries:
- {'key': 'HKEY_USERS\\S-1-5-21-4270068108-2931534202-3907561125-1001\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\OpenWithProgids\\exefile', 'value': 'Binary Data'}
- {'key': 'HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\Synaptics Pointing Device Driver', 'value': '%ProgramData%\\Synaptics\\Synaptics.exe'}
- {'key': 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\WMI\\AutoLogger\\Circular Kernel Context Logger\\Status', 'value': '0'}
- {'key': 'HKEY_USERS\\S-1-5-21-575823232-3065301323-1442773979-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ScdBcd', 'value': '%APPDATA%\\Dibifu_9\\vshost32.exe'}
Trojan:MacOS/Multiverze also creates the following processes:
- "C:\Users\<USER>\Desktop\file.exe"
- %SAMPLEPATH%\cf9b8dd15ac62eba1b14417e1d2c19a9e87e381543c050c7d52ce7966679fce2.exe
- C:\Windows\System32\UI0Detect.exe
- C:\Program Files\Google3376_1750638931\bin\updater.exe
- "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
- %SAMPLEPATH%\040b1f1017257415d32260576daaf98203e026ab.exe
- C:\Windows\System32\UI0Detect.exe
- "C:\Program Files\WindowsApps\Microsoft.WidgetsPlatformRuntime_1.6.2.0_x64__8wekyb3d8bbwe\WidgetService\WidgetService.exe" -RegisterProcessAsComServer -Embedding
This malware also communicates with the following hosts:
- 158[.]101.44.242:80
- 104.21[.]80.1:443
- 198.57.247[.]184:587
- a83f:8110:0:0[:]0:200:0:0
- reallyfreegeoip[.]org
- gator3220[.]hostgator.com
- 212[.]23.222.56:22003
- xred.mooo[.]com
Trojan:MacOS/Multiverze also accesses or downloads from the following URLs:
- hxxp[://]1009[.]filemail[.]com/api/file/get?filekey=3KmX3ZuKC-KrHYHx8lxAWfd0sS95IvAlxMSA6iAgGgTc4ihCg74eiecBSFk&pk_vid=a50f8568f7885ce81747801743c1eb95
- hxxp[://]checkip[.]dyndns[.]org/
- hxxps[://]reallyfreegeoip[.]org/xml/34.145.43.199
- hxxp[://]212[.]23[.]222[.]208/P4R/Xkllcsteuz.vdf
- hxxp[://]freedns[.]afraid[.]org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Prevention
Guidance for Individual users
Keep your operating system and antivirus products up to date. Customers who have turned on automatic updates do not need to take additional action
Take these steps to help prevent malware infection on your computer.
Guidance for enterprise administrators and Microsoft 365 Defender customers
Ransomware more than often attacks enterprises than individuals. Following the below mitigation steps can help prevent ransomware attacks.
Microsoft recommends the following mitigations to reduce the impact of activity.
