14 DAY TRIAL // Researchers have been monitoring a new malware family that’s currently being used in targeted attacks against organizations – mainly from the government sector – located in the Asia-Pacific region. The malware, dubbed EvilGrab, is designed to steal information from infected computers.
According to Trend Micro, the threat mainly targets organizations from China and Japan. Cybercriminals are distributing the malware with the aid of spear phishing emails that carry malicious Microsoft Office documents.
One executable file and two .dll files represent EvilGrab’s main components. The .exe file installs the other components. One of the .dll files is the main backdoor component, loaded by the other .dll file. In some cases, the .exe file is deleted after installation. This is done in an effort to cover its tracks.
Once it’s installed, EvilGrab starts stealing information. The threat is capable of grabbing audio and video files played on the system with the aid of standard Windows APIs. In addition, it can take screenshots, log keystrokes, and steal Internet Explorer and Outlook credentials. The stolen information is uploaded to a server controlled by the cybercriminals.
EvilGrab also looks for the presence of certain applications, such as Tencent QQ, the popular Chinese instant messaging app. If the application is found, the content of the memory used by QQ is stolen. This information could include conversations and contact lists.
Interestingly, the malware injects itself into the processes of security products from ESET, Kaspersky, and McAfee. If the security applications are not found, the threat injects itself into Windows system processes.
As far as its backdoor capabilities are concerned, EvilGrab allows its master to carry out a wide range of commands on the infected system.
Trend Micro details this malware family in its 2Q report on targeted attack campaigns.