W32/Poxter.A!tr
Analysis
- This trojan has been observed to perform DNS queries of the following known botnet-related URLs:
- {Removed}b32e.com
- {Removed}e613.com/portal1/gateway.php
- It drops the following copy of itself:
- undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe
- To automatically execute itself every time the infected user logs on, it creates the following registry entry:
- key: HKCU\Software\Microsoft\Windows\Currentversion\Run\
- value: [RandomCLSIDEntry]
- data: undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe
- There have been some instances of this malware also creating the following registry entries:
- key: HKEY_CURRENT_USER\Software\Resilience Software
- value: Digit
- data:[CLSID, e.g., dce9891c-0a6e-4b5f-b86c-6a5aa73a76ec]
- key:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- value:LowRiskFileTypes
- data:".exe;.bat;.reg;.vbs;"
- This malware is associated with the Target Credit Card hacking incident.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |