Home / malware TrojanDownloader:Win32/Tugspay.A
First posted on 15 February 2019.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Tugspay.A is also known as DomaIQ.BU, APPL/DomaIQ.Gen, Trojan.DownLoader11.3971, AdWare.DomaIQ.
Explanation :
Installation
TrojanDownloader:Win32/Tugspay.A uses social engineering to get consent to install onto your PC. For example, we have seen it imitate a Java update. It persuades or tricks you to agree to download its file by posing as a legitimate request.
We have seen this threat installed by:
Malicious or compromised websites - when a message appears asking you to download a file, for example, a fake Java update or download as shown below:
Abused content delivery networks, for example, when you are searching for a legitimate application or installer. Other malware, for example HackTool:Win32/Keygen and Exploit:Java/Anogre.E.
We have seen this threat downloaded with the following file names:
avast_antivirus.exe avg antivirus.exe flashplayer.exe flvplayer.exe Google_chrome.exe iTunes.exe java.exe mcafee_antivirus_plus.exe microsoft-office-2010.exe microsoft-powerpoint-2010.exe microsoft-security-essentials.exe microsoft-Silverlight.exe microsoft-word.exe norton-antivirus.exe panda antivirus.exe player_setup.exe setup.exe skype.exe vlc-media-player.exe Payload
Collects information about your PC
This threat performs machine and web browser fingerprinting. It checks and collects information about your PC including:
Antivirus and firewall settings Default browser Machine architecture Operating system and version Service pack installed User data such as bookmarks, downloads, browsing history, passwords, sessions and cookies. Web browsers installed Whether administrator privileges are enabled
It also checks the environment to prevent it from running when it is being analyzed, debugged or executed in controlled environment such as virtual machines.
Downloads and installs unwanted software
This threat has a predefined list of applications that it can download and install. This includes:
Amonetize AndroidAPK CouponServer Monetizer (refers to InstallMonetizer) ShoppingChip StrongVault
It might also install browser add-ons related to these applications.
We have also seen TrojanDownloader:Win32/Tugspay.A download the following malware and unwanted software:
Adware:Win32/EoRezo Adware:Win32/Adpeak Misleading:Win32/OptimizerElite SoftwareBundler:Win32/CostMin TrojanClicker:Win32/Clikug.C
Traces of related downloads can be found in %TEMP% and %APPDATA%.
It also includes a feature that allows it to download and perform dynamic installs from a remote host configuration. This configuration contains sources of affiliate distributions and download URLs.
Connects to remote servers
The malware connects to a remote server. This could be part of its social engineering screen, to post collected data, read configurations, or download files. We have seen it connect to the following servers:
54.201.5.113 54.213.138.138 69.16.175.10 82.12.5.27 85.12.8.28 173.193.180.130 208.87.233.180 207.171.187.117 Additional information
TrojanDownloader:Win32/Tugspay.A might use multiple techniques to hide its malicious intent including:
Using a digital certificate to gain your trust. Using a website or download domain that appears legitimate. It usually uses the term "cloud" as part of its domain name, for example: mycloud101, srcloudfile, procloudbox, cloudbox, cloudsvr or cloudserver.
Analysis by Methusela Cebrian FerrerLast update 15 February 2019
