MSUpdater

Description

(ZScaler) The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., ‘msupdate.exe’) and the HTTP paths used in the C&C (e.g., ‘/microsoftupdate/getupdate/default.aspx’) are used to stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this Trojan.

Names

Name
MSUpdater

Type

Dropper
Backdoor
Info stealer
Exfiltration

Information

https://www.zscaler.com/blogs/research/msupdater-trojan-and-link-targeted-attacks
https://cybersecurity.att.com/blogs/labs-research/msupdater-trojan-found-using-cve-2012-0158-space-and-missile-defense-conference

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:msupdater

Other Information

Uuid

e288f4fe-9d9f-4f36-be19-6895ad1ada0c

Last Card Change

2020-04-20

Threat Intelligence Garden

Explorer

MSUpdater

MSUpdater

Description

Names

Category

Type

Information

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks