SecurityHome.eu Trojan:PowerShell/Certor.A

Home / malware PDF

Trojan:PowerShell/Certor.A

First posted on 19 August 2016.
Source: Microsoft
Aliases :
There are no other names known for Trojan:PowerShell/Certor.A.
Explanation :
Installation

This threat installs the certificate it came along with (cert.der) upon execution and also installs its certificate into Mozilla Firefox browser.

It also downloads the following:

Task Scheduler to %temp% folder and installs it from the following legitimate URL:
http://download-codeplex.sec.s-msft.com/Download/Release?ProjectName=taskscheduler&DownloadId=1505290&FileTime=131077268832800000&Build=21031

TOR client to %appdata\Tor and install it from the following legitimate URL:
https://www.torproject.org/dist/torbrowser/6.0.2/tor-win32-0.2.7.6.zip

Customized Proxifier to %appdata\Tor\p\ and install it from the following URL:
http://.link/p1.zip?t=

Payload

Changes the browser's proxy settings

This threat is a component of the Certor malware whose payload is to change the Browser Proxy Settings with the purpose to intercept internet traffic.

Analysis by Alden Pornasdoro and Vincent Tiu
Last update 19 August 2016

TOP

Malware :

Last 20

Family:

Trojan:PowerShell/Certor.A