Home / malwarePDF  

Infostealer.Gocotoya


First posted on 18 April 2015.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Gocotoya.

Explanation :

The Trojan may arrive on the compromised computer through malicious links delivered through Steam chat.

The Trojan copies itself to the following location and replaces the previous file:
[STEAM DIRECTORY]\Steam.exe
Note: [STEAM DIRECTORY] is the directory where Steam is installed.

The Trojan renames the original [STEAM DIRECTORY]\Steam.exe file to the following file name:
[STEAM DIRECTORY]\steam.old
The Trojan executes the following file, which is now malicious:
[STEAM DIRECTORY]\Steam.exe
The Trojan displays a fake login screen.



The Trojan steals any credentials entered in the fake login screen.

The Trojan may also steal cookies and credentials saved in the following browsers:
Google ChromeChromiumComodo DragonTorchYandex BrowserOperaOrbitumAmigoQIP SurfSleipnirCitrio
The Trojan sends the stolen information to the following remote location:
[http://]188.120.255.114/auth[REMOVED]

Last update 18 April 2015

 

TOP