Home / malware

PDF

Trojan:MSIL/Spacekito.A

First posted on 15 February 2019.
Source: Microsoft

Aliases :

Trojan:MSIL/Spacekito.A is also known as Adware-Okit!F2AB011D4F26, winpe/Vittalia.PDB, MSIL/Spacekito.A, Trojan.Gen.2, Win32.SuspectCrc.

Explanation :

Installation

This threat gets onto your PC through a Nullsoft Scriptable Install System (NSIS) compiled installer. It is usually installed with the file name %APPDATA%okitspaceprotectpluginprotect.exe without your consent.

It is then registered as a service with the name "Protect your browser's extensions" and modifies these registry entries:

In subkey: HKLMSYSTEMCurrentControlSetServicessrvPlgProtect
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "%AppData%okitspaceprotectPluginProtect.exe"
Sets value: "DisplayName"
With data: "Protect your browser's extensions"
Sets value: "ObjectName"
With data: "LocalSystem"

It might also create the following registry subkey as part of its installation routine:

Subkey: HKLMSOFTWAREPluginProtect

Payload

Steals your information

After the threat is registered as a service, it gets the following information about your PC:

Current date Default browser Installed antivirus program Installed browsers Operating system and version UserID

It sends this information to a remote server.

We've seen it connecting to the following servers to send information and download files:

baseflash.com okitspace.com media.vitkvitk.com media.vitjvitj.com

Installs plugins and displays ads in your browser

This threat downloads a .zip file called plugin.zip, which contains the plugins it installs.

Sample contents of plugin.zip are:

crxID - Contains text (Chrome ID) OKitSpace.crx - Chrome extension to be installed OKitSpace.crx.zip - Chrome extension to be installed OKitSpace.pem - Cert file needed to install the Chrome extension OKitSpace.dll - BHO to be installed on Internet Explorer OKitSpace.xpi - Firefox plugin to be installed version - Contains text (version of the plugin)

When these plugins are installed, they can display unwanted pop-up ads in Internet Explorer, Firefox, or Chrome browsers.

Here are some screenshots of what these plugins might look like:

In Internet Explorer:

In Firefox:
In Chrome:

The threat monitors all the plugins it installs. If a plugin is disabled, it immediately re-enables or activates the plugin. If the plugin is removed, the threat downloads and installs another copy of the plugin.

Analysis by Ricardo Robielos

Last update 15 February 2019

 

TOP