Trojan:Win32/ForestTiger.A!dha

Trojan:Win32/ForestTiger.A!dha enters devices via two main ways: through vulnerabilities CVE-2023-42793 in JetBrains TeamCity or phishing campaigns impersonating US companies. Once launched, it uses DLL sideloading to hijack legitimate processes such as wsmprovhost.exe or clip.exe using fake Windows DLLs such as DSROLE.dll or Version.dll. The trojan first deploys its core payload (Forest64.exe) and a configuration file into C:\ProgramData, dynamically decrypting the configuration file in memory to access command and control (C2) endpoints and task parameters. 

To establish persistence, it schedules tasks using schtasks.exe and deactivates security tools like Windows Defender by changing internal folder names or registry keys. Network communication occurs over encrypted and unencrypted traffic to hard coded IPv4 addresses, remote hosts, and IPv6 addresses, facilitating data exfiltration and launching remote commands. 

Evasion techniques include encrypting the payload, faking JPEG files with false headers, and performing anti-analysis checks on the presence of any virtualization artifacts. After the infection is established, Trojan:Win32/ForestTiger.A!dha will dump credentials through memory scrapes of LSASS and establish lateral movement through Remote Desktop Protocol (RDP) using fake local accounts. The malware also drops decoy files in C:\Windows\System32\spp\store\2.0\ to blend with legitimate data. 

Trojan:Win32/ForestTiger.A!dha drops files in: 

• Forest64.exe 
• user64.exe 
• C:\Users\user\Desktop\file.exe 
• C:\Windows\System32\wuapihost.exe 
• C:\Users\user\Desktop\Forest64.exe 
• C:\Windows\System32\spp\store\2.0\ (.dat and .tmp files) 

Communicates to following hosts: 

• 192[.]229.211.108 [:] 80  
• a83f[:]8110:0:0:10:0:0[:]0  
• a83f[:]8110:8b31:da01:beac:bf78:cce1[:]d301  
• fp2e7a[.]wpc.phicdn[.]net  
• fp2e7a[.]wpc.2be4.phicdn[.]net  
• a83f[:]8110:0:0:4a01:0:0[:]0  
• a83f[:]8110:0:0:1400:0:0[:]0  
• 104[.]86.182.8[ :] 443