W32/Murofet.A
Analysis
W32/Murofet.A is a file infector that attempts to download more malicious files into the infected system.
Technical Details
File Infection
- This malware infects Win32 executable files by inserting its codes into the space between the first and second sections. The infected file increases its size by approximately 2,048 bytes.
- The second generation of infected samples are observed not to cause any infection. Only the first generation appears to contain the code for infection.
Generation of Domain Names
- This malware generates random domain names to download more malicious files. The domain-generation mechanism is similar to the techniques used by the Conficker worm.
- After generating a domain name, the malware attempts to connect to it. The attempt is done 800 times per execution of the infected file. It uses the Sleep API with a parameter of 1 second for every iteration.
- The domain generation is initiated by using the GetSystemTime API. The result will then be used as the seed for generating a randomized string, which will be appended with any of the following:
- .com/forum/
- .biz/forum/
- .org/forum/
- .net/forum/
- .info/forum/
- If connection to the generated domain name is successful, the malware downloads a file and saves it into the current user's Temporary folder. The downloaded file is then executed.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |