CERT-IN Warns of Info-Stealing TrojanAgency Issues Alert About Golroted Malware Variants
CERT-In has issued a virus alert against variants of a new malware family, being called Golroted. The Golroted Trojan is known to have spyware functionality and is spreading fast, the CERT-In advisory says.
The malware is known to be spreading via spear phishing campaigns as attachments and by replicating itself onto removable drives. The malware affects Windows systems and is capable of stealing personally identifiable information from the affected machines, including the IP addresses, passwords, installed security software and other sensitive system details. Golroted has the ability to specifically go after financial information and is known to be targeting banking sites and online payment sites, the advisory says.
In a malware report from June 2015, Indian anti-virus company Quick Heal found that the information stealing Trojan has been active since October 2014 and that the largest percentage of compromises are from India at 33%, followed by Indonesia at 31%; Thailand follows a distant third with 9%.
According to the Quick Heal report, once a system is compromised by downloading an infected attachment, Golroted variants exfiltrate sensitive information from the affected systems to a preconfigured FTP server or via email attachments. The command and control servers for the malware are located in the US, the Quick Heal report says.
The Trojan has spyware-like capabilities as noted by both the CERT-In advisory and the Quick Heal research, which includes the ability to capture screenshots, record keyboard strokes, copy saved passwords and browsing history, gather all clipboard data and block access to specific sites.
The malware uses encryption to avoid detection by AV and anti-malware programs. Quick Heal says in its report that cybercriminals are using off-the-shelf keylogger tools wrapped inside legitimate-looking Microsoft Visual C#/ .NET files for Golroted's information stealing mechanism.
Sameer Ratolikar, CISO of HDFC bank, says that the best practices that apply to all other malware in an enterprise environment should apply to Golroted. Specifically, he recommends preventing the entry of spyware at choke points, such as at the email gateway level. Having an up-to-date anti-virus and anti-malware solution on enterprise systems is important. As is blocking USBs, since that is one of the modes of propagation for this malware, Ratolikar says.
Good USB hygiene goes a long way he says. "Block USBs and removable drives. If USB access needs to be given, it must be done very sparingly, using hardened USBs, using whitelisted drives," he says. If there is a callback happening to the outside world, you need to determine where it is going and blacklist those IPs.
Information Security Strategist, Dr. Onkar Nath says as the malware is a Trojan, it is going to need a user's assistance to get on the system, which happens when the user clicks on the email attachment or a link in the phishing email. From a consumer awareness perspective - for the individual and enterprise consumer - he offers the following advice:
- Do not click on any link within e-mails from untrusted sources. Writing the web address in the address bar is the best option. Alternatively use directory services for the link.
- Always use normal user account for routine activities. Lack of administrative access will prevent the installation/execution of Trojans inadvertently.
- Using two-factor authentication where available would be wise. Default user accounts and their passwords - particularly administrative accounts - should be disabled.
- The browser is the weakest link in the web services. Use an updated version of browser and avoid storing credentials in the browser.
- Use only licensed software and keep your system and security software up to date.
In addition he says, disabling remote access services on the system is helpful. "Application and system developers need to upgrade and use robust versions of hashing algorithms to avoid reverse engineering of credentials stored in the hashed form," Dr. Nath says.
Those who use freeware and shareware or keep obsolete software on the system may become victim of not only this malware, but others too, Dr. Nath says, since they may be un-patched and their vulnerabilities publicly known and could be exploited.
While there are protection systems, which may check for malformed/malicious websites or packets to stop the infection, most such systems required offloading of encryption, which may also result in the disclosure of users credentials in clear text, he warns.
Both the CERT-In and the Quick Heal advisory stress on disabling the save credential feature in browsers. The Microsoft advisory for this Trojan and its variants can be found here.