W32/Bublik.AAB!tr
Analysis
- Upon execution, it drops a copy of itself to the user's Temporary folder. This dropped copy has the full path and file name of the original malware sample appended to its overlay. The most common file names observed during our tests are as follows:
- hhcbrnaff.exe
- wezeda.exe
- After execution, the original malware sample is deleted.
- This malware disguises itself by using an Adobe PDF icon.
- This malware is very much similar in behavior with W32/Small.AAB!tr. For more information, please see this blog post.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |