Home / malware TrojanDownloader:JS/Stenago.A
First posted on 23 December 2016.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:JS/Stenago.A.
Explanation :
This threat is malicious JavaScript code hidden in images. This technique is called steganography.
This threat can create files in the Temporary Internet Files folder, for example:
countly.min.js
It collects sensitive information from your PC, including details about your browser environment like locale, screen resolution, GMT time offset, current date, user-agent, and pixel ratio.
It then connects to any of the following command-and-control (C&C) servers to send collected information:
- hxxp:// ainab.photographyquincemiami.com/w2juxekry8h9votrvb3-k72wiogn2yq2f3it5d17/j9r
- hxxp:// browser-defence.com
- hxxp:// compe.quincephotographyvideo.com/kil5mrm1z0t-ytwgvx/g7fjx4_caz9
- hxxp:// conce.republicoftaste.com/urq5kb7mnimqz/3dyv72cqtwjbgf5e89hyqryq5zu60_os24kfs1j3u_i
- hxxp:// connt.modusinrebus.net/34v-87d0u3
- hxxp:// entat.usedmachinetools.co/6yg1vl0q15zr6hn780pu43fwm5297itxgd19rh54-3juc2xz1t-oes5bh
- hxxp:// faant.tresmas1arquitectos.com
- hxxp:// ntion.atheist-tees.com/v2mit3j_fz0cx172oab_eys6940_rgloynan40mfqju6183a9a4kn/f
- hxxp:// rated.republicoftaste.com/6t8os/lv-pne1_dshrmqgx-8zl8wd2v5h5m26m_w_zqwzq
- hxxp:// rence.backstageteeshirts.com/qen5sy/6hjyrw79zr2zokq1t4dpl276ta8h8-/3sf9jlfcu0v7daixie_do6zb843/z7
- hxxp:// tinyurl.com/gplnhvm
- hxxp:// tinyurl.com/gwwltaf
- hxxp:// tinyurl.com/hgnsysa
- hxxp:// tinyurl.com/hvfnohs
- hxxp:// tinyurl.com/j56ks2b
- hxxp:// tinyurl.com/jf67ejb
- hxxp:// tinyurl.com/jqp7efh
It can then receive configuration or other data from the C&C server. We have seen the C&C server reply with a portable network graphics (PNG) image file that also contains hidden JavaScript code using steganography.
Analysis by: Dmitriy PletnevLast update 23 December 2016