Home / malware TrojanSpy:MSIL/Omaneat
First posted on 14 March 2017.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:MSIL/Omaneat.
Explanation :
Installation
This threat creates a copy of itself as a hidden file in %ProgramData%. We have seen it use the following file names:
- %ProgramData% \client\client.exe
- %ProgramData% \document\client.exe
- %ProgramData% \notepad.exe
- %APPDATA% \clienonitor.exe
It creates various encrypted registry entries for configuration. It also creates registry entries to that it runs every time your PC starts, for example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Sets value: Client
With data: "cmd /c start Client" The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.
Payload
Collects sensitive information
This threat can collect your sensitive information without your consent. This can include:
- The keys you press
- The applications you open
- Your web browsing history
- Your credit card information
- Your user names and passwords
It also takes screenshots, encrypts them, and saves them in the following folder:
- %APPDATA% \roaming\monitor\screenshots\
\
For example, C:\Users\Administrator\AppData\roaming\monitor\screenshots\03-09-2017\10.25 AM.
We have seen it take screenshots every 10 minutes, but it may vary based on the configuration.
Connects to a remote host
We have seen this threat connect to a remote host, including:
- apalumin[.]ddns[.]net using port 1338
- samsonlove[.]ddns[.]net at TCP port 19319
- 193[.]150[.]13[.]211 at TCP port 25418
Analysis by Jeong MunLast update 14 March 2017
