Home / malware TrojanSpy:MSIL/Golroted.B
First posted on 08 March 2019.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:MSIL/Golroted.B.
Explanation :
Installation
We have seen the threat with the following file names:
RE_Signed_Invoice_&_Deposit_Slip.zip^New_Order.scr Re_Please_Correct_your_Bank_Swift.zip^Re_Please_Correct_your_Bank_Swift.scr
The threat drops a copy of itself as appreadiness.exe in the %APPDATA%microsoft folder. It also drops a component file, defragsvc.exe, in the folder.
The component file, detected as Trojan:MSIL/Golroted, changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "Application Readiness"
With data: ", for example "%APPDATA%microsoftdefragsvc.exe"
Payload
Steals product keys and personal information
The threat runs a command-line password and product key recovery tool in the background. We have seen it use the following tools:
HackTool:Win32/Mailpassview HackTool:Win32/IEPassview
The threat tries to steal information stored on your PC, including:
Game product keys Skype contacts Minecraft credentials Clipboard FTP password
The information generated by the recovery tool is sent to back to the user via email.
The tool also records keystrokes you make when using your PC.
Analysis by Zarestel FerrerLast update 08 March 2019
