Home / malware Win32/Netfosor
First posted on 21 April 2016.
Source: MicrosoftAliases :
There are no other names known for Win32/Netfosor.
Explanation :
Installation
Some versions of this sample have been seen to set themselves up to run automatically using the following registry key:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "%appdata%\svchost.exe"
With data: "360v"
Payload
Downloads and runs files
This threat can receive commands from a hacker to download and run files on your PC. The output of the files, when run, is then sent back to the command and control server (C&C).
Allows backdoor access and control
Depending on what the hacker commands this threat to do to your PC, this threat can:
- settime - set your PC's time
- drive - send back to the C&C server what letters you use for your logical drives (A: to Z:)
- list - sends information about your file system back to the C&C server
- down - uploads the contents of a local file back to a server
- upload - downloads a remote file from a server into your PC
- open - runs a local file while gathering its output; this command only works if the year is 2014 or earlier
We've observed the C&C server to be microsoften.com. A hardcoded user name and password is used to connect to the C&C server.
This threat can also report the infected PC's local network IP address back to the C&C server.
Additional information
If this threat is run with SYSTEM privileges, it determines the user name of the currently logged on Remote Desktop Protocol user, and then impersonates that user. Their user account is used to do the payload and the user name is reported back to the C&C server.Last update 21 April 2016
