W64/Kryptik.BRD!tr
Analysis
W64/Kryptik.BRD!tr is a generic detection for a trojan that uses DLL hijacking to spread and maintain persistance. To aid in persistance it also injects code into explorer.exe.
Below are some of its observed characteristics/behaviours:
- Automatically executes a copy of itself at startup by using a shortcut placed in the startup folder to execute a victim exe which will be DLL hijacked.
- Injects code into explorer.exe's running memory that causes a victim exe to be continually placed and DLL hijacked. Attempts to delete the DLL hijacker will be replaced with a new copy due to this injected code.
- This malware may drop any of the following file(s):
- A .exe file choosed randomly from system32 and saved under AppData\Roaming\RANDOM\, where italic strings are replaced with random characters. This file becomes the victim of the DLL hijacking.
- A .dll file that corresponds to a DLL loaded by the DLL hijacked victim above, again usually found in system32 and saved under AppData\Roaming\RANDOM\, where italic strings are replaced with random characters. Detected as W64/Kryptik.BRD!tr this file is a modified copy of the dll found in system32 that contains malicious code to DLL hijack.
- A shortcut file under start Menu\Programs\Startup called "RANDOM".lnk, where italic strings are replaced with random characters. This targets the victim exe found in AppData\Roaming\RANDOM\ and causes DLL hijacking to occur upon login for persistence.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
Extreme | |
FortiAPS | |
FortiAPU | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2020-09-22 | 80.56100 | Sig Updated |
2020-07-14 | 78.88000 | Sig Updated |
2020-04-21 | 76.87400 | Sig Updated |
2020-04-21 | 76.87100 | Sig Updated |
2020-04-21 | 76.86800 | Sig Updated |
2019-12-09 | 73.67200 | Sig Updated |
2019-12-02 | 73.50300 | Sig Updated |
2019-11-26 | 73.35800 | Sig Updated |
2019-11-25 | 73.33700 | Sig Updated |
2019-11-07 | 72.89200 | Sig Updated |