W32/Small.BQ!tr
Analysis
This threat was spammed in an email message as a hyperlink. Users that clicked on the hyperlink, an encoded HTML file was downloaded and run. This encoded HTML file retrieved an additional .CHM file from '209.61.149.77'. The .CHM file uses a codebase exploit in order to retrieve and execute a binary file named "svchost.exe".
The file "svchost.exe" is a remote access Trojan that sends notification of its installation to a server-side PHP script; the server is located at the IP 209.51.149.77. The script captures submitted data into a log file for a malicious user to browse - the information contains information related to the compromised system such as machine name, user name and other information.
This remote access Trojan is a variant of "Delf".
Recommended Action
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |