MSIL/Injector.FOF!tr
Analysis
- It drops a copy of itself as msimw.exe in the All Users' Profile folder.
- The following registry modifications are applied:
- HKCU\Software\Microsoft\CurrentVersion\Policies\Explorer\Run
- [RandomNumber] = undefinedAllUsersProfileundefined\msimw.exe
- HKCU\Software\Microsoft\CurrentVersion\Policies\Explorer\Run
- The malware arrives as an attachment to a spammed mail using the following possible details:
- Subject: my new photo ;)
- Body: my new photo ;)
- Attachment Filename: photo.zip
- The malware attempts to connect to the following site:
- ddnserv{Removed}.ru
- The original copy of the malware is deleted after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |