A new Trojan downloader has been identified by Russian antivirus firm Dr. Web, which installs malicious payloads – currently adware – using a popup Windows ‘Save As’ dialog box.
The malware, which has been named Trojan.Ticno.1537 covertly installs a range of adware and a malicious Google Chrome extension. The Ticno Trojan, which is downloaded by a separate malware, is packaged with legitimate software in a single installation file. Legitimate software that are packaged with the Trojan include Tray Calendar and the Amigo web browser.
The package is believed to be part of an affiliate program that pays for software downloads, with the person behind the campaign profiting from the software that are installed, as well as from the ads that are displayed.
If the user click save when the ‘Save As’ dialog box pops up on screen, the Trojan is downloaded and run. First, the Trojan assesses the environment in which it has been installed to check it is not on a virtual machine. Checks are performed to determine whether Python or Perl are installed on the device, as well as other debugging programs, files, folders and windows processes.
If the malware determines that detection is unlikely, the file 1.zip is saved to the desktop and adware is downloaded. If the checks are successful, Explorer is launched and the process terminates. While the save as box suggests that only one file is being downloaded, the dialog box contains a greyed-out link in the bottom left hand corner. If clicked, the user will see all of the adware and software that will be installed as part of the bundle. The malware also installs a malicious Google Chrome extension – Trojan.ChromePatch.1 – as well as infecting the resources.pak file.
Even if the Ticno Trojan is deleted from the machine, it will still serve unwanted ads via the malicious Chrome extension.
Dr. Web is now blocking the Ticno Trojan, as is Symantec, although users should be aware of the risk from downloaders such as these.