W32/Zurgop.BK!tr
Analysis
- Creates a new folder under the user's Application Data folder using a randomized name, then drops a copy of itself into this new folder using a randomized name.
- Creates the following registry entry to automatically execute its dropped file every time the infected user logs on:
- key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: [Random]
- data: undefinedAPPDATAundefined\[Random]\[Random].exe
- Attempts to inject cpdes into the following processes:
- explorer.exe
- svchost.exe
- Collects information of the compromised system and sends them to the HTTP server http://se{Removed}gj333.com/.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |