Fruity trojan leading to remote trojans installation

Fruity malware up to install remote trojans

2 Mins Read

PUREVPNNewsFruity malware up to install remote trojans

Cybercriminals are creating fake websites with software installers infected with a downloader malware called Fruity. They aim to deceive unsuspecting users into downloading this trojan, which can then install remote trojan tools like Remcos RAT.

According to cybersecurity vendor Doctor Web, the software being used as a decoy includes various tools for fine-tuning CPUs, graphic cards, and BIOS, along with other PC hardware-monitoring apps.

Source: Remcos RAT analysis by Trellix

How do they do it?

The exact method used to gain initial access is not clear, but it could involve phishing, drive-by downloads, or malicious ads. Victims are prompted to download a ZIP installer package when they visit the fake site.

Source: Dr. Web

Inside the installer, alongside the legitimate software, the Fruity trojan is dropped. This Python-based malware conceals itself by hiding inside an MP3 file and using steganography to cover two executables and shellcode.

“This smart technique conceals the fact that the user is being provided with remote files and gives the user the illusion of trust. As a result, the user is more likely to open the file, assuming it is from their system, and unknowingly execute malicious code,” said a security analyst at Trellix.

Fruity is designed to evade antivirus detection on the compromised system and eventually deploy the Remcos RAT payload using a technique known as process doppelgänging.

Some related trojans include:

  • python39.dll—a copy of an initially harmless library from the Python package in which attackers implanted the malicious code;
  • python.exe—the original Python language interpreter which is used to launch the modified library;
  • idea.cfg—a configuration containing the data on the payload location;
  • idea.mp3—encrypted trojan modules;
  • fruit.png—an encrypted payload.

“This attack method could be exploited to distribute various malware, underscoring the importance of downloading software only from trustworthy sources,” says researchers at Dr.Web.

What’s in hand…

There is nothing new to say that brushing up on ways to spot phishing campaigns has become a dire need. Software must be regularly patched, devices must be updated, and the validity of any outbound link, including emails, attachments, and files, must be checked. 

Hands up for not being secure!

author

PureVPN

date

July 31, 2023

time

10 months ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Apple and Google Introduce Alerts for Hidden Bluetooth Trackers on iOS and Android

Apple and Google Introduce Alerts for Hidden Bluetooth Trackers on iOS and Android
Posted on May 16, 2024
Phorpiex Botnet Sends Millions of Emails in LockBit Black Ransomware Attack

Phorpiex Botnet Sends Millions of Emails in LockBit Black Ransomware Attack
Posted on May 14, 2024
South Australia Wants to Ban Social Media for Kids, Soaring VPN Searches

South Australia Wants to Ban Social Media for Kids, Soaring VPN Searches
Posted on May 14, 2024

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.

Get PureVPN