Backdoor:MSIL/Ofnipon.A is a backdoor trojan that terminates certain security processes. It also allows a remote attacker to gain access and control of the infected computer.

 

Backdoor:MSIL/Ofnipon.A is capable of checking if it is running in a virtual environment or under certain conditions, in these cases it can terminate itself to avoid analysis and detection.

Remcos is used to take control of an infected system and collect system information like keystrokes, webcam images, screen captures, and passwords. 

Remcos supports many control commands to perform various tasks on a victim’s device.

Based on command-and-control (C2) commands, it can do further malicious activities such as start and stop keyloggers, download file, delete file, upload file, open and close camera, record audio, display warning message, and get clipboard data.

Read the following blogs for more information:

• Flax Typhoon using legitimate software to quietly access Taiwanese organizations
• How the Microsoft Incident Response team helps customers remediate threats
• Threat actors strive to cause Tax Day headaches