Terminating malware's process leads to BSOD

Oct 30, 2016 20:20 GMT  ·  By

Because malware authors never sleep, it is always entertaining to see the most recent tactics they're coming up with to distribute their payloads.

Security researchers from Malwarebytes have stumbled upon a malware campaign that uses some pretty out-of-the-ordinary tactics.

The Malwarebytes team says they've discovered a tainted file called VMWare.exe, which appears to be a pirated or cracked version of the well-known VMWare virtualization software.

Suspicious file fetches PasteBin script that installs njRAT

Pieter Arntz, Malwarebytes malware researcher, says that during the installation of this suspicious application, the installer would connect to PasteBin, a text sharing portal, access a page, and download a paste.

He says this paste contained a Visual Basic script, which the installer would run on the victim's PC. The script would also connect to an online server, download and execute another EXE file called Tempwinlogon.exe.

Arntz says this file would install the Bladabindi remote access trojan (RAT), also known as Derusbi or njRAT.

Operating from a file called Tr.exe, this RAT would be used to log the user's keystrokes using a keylogger component.

Malware crashes PC if they try to terminate its process

Arntz explains that if users notice the suspicious process running on their PCs and attempt to terminate it via Task Manager, the computer would instantly crash, showing a BSOD.

This behavior is similar to a JavaScript-based malware discovered by Kahu Security. Whenever users would attempt to terminate the process of that malware, it would shut down the user's PC, and restart itself thanks to a boot persistence mechanism it installed in a previous phase.

"Do consider changing your passwords though, if you have been infected with this RAT, since the passwords might have been compromised by this threat," Arntz warns users.