I downloaded a booster for a video card - say goodbye to personal data.
Doctor Web researchers have uncovered a cybercriminal operation to create fake websites that distribute malicious software installers to trick gullible users into downloading the Fruity Trojan downloader.
The ultimate goal of the attackers is to install remote control tools, such as the Remcos RAT Trojan, on the infected computer.
Among the software under consideration were “tools for fine-tuning the operation of processors, video cards and BIOS, utilities for checking the status of computer equipment, and a number of others. Such installers serve as bait and contain not only the software of interest to the potential victim, but also the Trojan itself, along with all its components,” the experts said.
The exact initial attack vector of this operation is not clear, it may include both phishing banner ads and other methods. Users who somehow get to a fake site download the installer of the program carefully advertised by him in a ZIP archive.
Fake websites with malware
The installer secretly drops the Fruity Trojan, written in Python, which decompresses the "Idea.mp3" MP3 file, then downloads the "Fruit.png" image to activate a multi-stage infection process that is practically undetectable by antivirus software due to non-standard file extensions for viruses .
Full attack scheme of the Fruity trojan
According to Doctor Web experts, these files use the steganography method to hide executable DLLs and the corresponding shellcode inside them to initialize the next stage of the attack.
Fruity is designed with a focus on bypassing antivirus detection and eventually launching the Remcos RAT malware using a method called Process Doppelgänging. However, the attack vector could potentially be used to spread any other malware.
Doctor Web specialists remind you that you should download software only from trustworthy sources — from official websites of developers and from specialized directories. In addition, for uncompromising computer protection, it would be nice to install a reliable antivirus solution.
Doctor Web researchers have uncovered a cybercriminal operation to create fake websites that distribute malicious software installers to trick gullible users into downloading the Fruity Trojan downloader.
The ultimate goal of the attackers is to install remote control tools, such as the Remcos RAT Trojan, on the infected computer.
Among the software under consideration were “tools for fine-tuning the operation of processors, video cards and BIOS, utilities for checking the status of computer equipment, and a number of others. Such installers serve as bait and contain not only the software of interest to the potential victim, but also the Trojan itself, along with all its components,” the experts said.
The exact initial attack vector of this operation is not clear, it may include both phishing banner ads and other methods. Users who somehow get to a fake site download the installer of the program carefully advertised by him in a ZIP archive.
Fake websites with malware
The installer secretly drops the Fruity Trojan, written in Python, which decompresses the "Idea.mp3" MP3 file, then downloads the "Fruit.png" image to activate a multi-stage infection process that is practically undetectable by antivirus software due to non-standard file extensions for viruses .
Full attack scheme of the Fruity trojan
According to Doctor Web experts, these files use the steganography method to hide executable DLLs and the corresponding shellcode inside them to initialize the next stage of the attack.
Fruity is designed with a focus on bypassing antivirus detection and eventually launching the Remcos RAT malware using a method called Process Doppelgänging. However, the attack vector could potentially be used to spread any other malware.
Doctor Web specialists remind you that you should download software only from trustworthy sources — from official websites of developers and from specialized directories. In addition, for uncompromising computer protection, it would be nice to install a reliable antivirus solution.
