SecurityHome.eu Infostealer.Rodagose

Home / malware PDF

Infostealer.Rodagose

First posted on 09 December 2014.
Source: Symantec
Aliases :
There are no other names known for Infostealer.Rodagose.
Explanation :
Once executed, the Trojan creates the following files:
%Windir%\ctfmonm.dll%Windir%\roodgoose
It then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"dispraisers" = "regsvr32 "C:\WINDOWS\ctfmonm.dll" /s"
The Trojan also creates the following event on the compromised computer:
Global\4nZJFQQ
The Trojan then steals files from the compromised computer and sends them to the following account hosted with a legitimate cloud storage service provider:
http://webdav.cloudme.com/[ACCOUNT NAME]/CloudDrive
Note: Where [ACCOUNT NAME] is the user name the attacker used to set up the account. Examples of account names used include the following:
browner8674935daw0996
Last update 09 December 2014

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Family:

Infostealer.Jackpos
Infostealer.Steamilik
Infostealer.Ragua
Infostealer.Dyranges
Infostealer.Nuknuken
Infostealer.Decebal
Infostealer.Kwerti!g1
Infostealer.Steem
Infostealer.Retgate
Infostealer.Napolar!g1