BISTROMATH
BISTROMATH is a Remote Access Trojan believed to originate from North Korea. The cybercriminals originating from this region go after regular users rarely, and, instead, their attacks are focused on high-profile organizations and institutions that the North Korean government is likely to be interested in. BISTROMATH was discovered only recently, and it appears to include a wide range of features that are meant to make the task of security researchers more difficult. Before the primary payload is initialized, the BISTROMATH RAT (Remote Access Trojan) will perform a wide range of checks to make sure that it is not being run in a controlled environment used for malware analysis. BISTROMATH checks for:
- The presence of various Virtual Machine artifacts (registry entries, services, MAC addresses, system drivers, etc.)
- The presence of debugging tools.
- Running processes associated with tools used for malware dissection.
- Computer names and usernames used by malware research labs.
- Specific hardware configurations typical for virtual machines.
If the checks are passed successfully, BISTROMATH may proceed to run the main payload and gain persistence by using three tricks:
- Creating a new Registry key that launches BISTROMATH on system startup.
- Creating a new scheduled task that is executed every hour (usually called 'System Backup').
- Copying its corrupted executable to the Windows Startup folder.
North Korea Provides Hackers with Remote Access Trojans
Once running, BISTROMATH will listen for incoming communication from the remote control server. The operators are able to feed it commands that will cause the malware to execute a wide range of tasks:
- Modify the file system.
- Collect files.
- List running processes and manage their execution.
- Manage Windows services.
- Execute remote commands.
- Collect clipboard data and log keystrokes.
- Take a screenshot.
- Attempt to recover cookies and saved login details from Web browsers.
The BISTROMATH RAT is believed to be a product of HIDDEN COBRA, one of North Korea's largest cybercrime groups.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.