DMOSK
DMOSK is a backdoor Trojan with capabilities for giving a remote attacker control over the computer. Most attacks by this threat utilize narrowly-targeted infection vectors involving Web links embedded into e-mail messages. Verify the authenticity of an e-mail before trusting its contents and have anti-malware products ready for removing DMOSK from your computer before any additional attacks can take advantage of the vulnerability.
The Trojan that's a 'Company Man'
A campaign against various business sector entities in Europe, especially Italy, is showing how easily threat actors compromise a network through their users. DMOSK, which malware experts note for its high resemblance to the Win32/Spy.Ursnif family occupies the last stage of the e-mail attack's payload. However, it only impacts any users who open the related Web link in a non-secure browser, which triggers the loading of a drive-by-download.
DMOSK's delivery routine consists of several phases of Trojan droppers that use different code-obfuscating methods before resolving into the installation of this backdoor Trojan. This threat takes its name from the fake certificate data it uses as a disguise. Further investigation from malware experts also helps confirm that DMOSK's installers are using multiple sorting methods that can prevent the campaign from targeting unwanted systems such as those belonging to an undesirable country or a cyber-security company.
One of DMOSK's first acts, after infection, is contacting its Command & Control server for relaying a notification to its threat actors. It also uploads e-mail addresses, usernames, and passwords for the machine. However, this initial data transmission is for configuring and monitoring purposes primarily, and malware experts have yet to verify DMOSK's uploading large quantities of other data, such as the user's Web-browsing activity or keyboard input.
Afterward, threat actors may issue additional commands to DMOSK for controlling the compromised PC, such as dropping other threats, disabling security features or uploading collected information.
Keeping Your Inbox Clean of Compromise
The DMOSK campaign is targeting specific business entities, although their identities remain confidential for the time being. Users for any at-risk business networks should anticipate attacks that disguise the e-mail messages and their contents as being relevant content, although some samples use 'naked' Web links without any additional details. The threat actors also are abusing the traditional 'hxxp' exploit for preventing some Web-browsing defenses from identifying the link as an unsafe one.
The obfuscating features in DMOSK's series of Trojan droppers are significant and prevent many security solutions from detecting them as being threatening. Update your anti-malware software's databases, when possible, and disable unsafe browser features like JavaScript, by default. Malware experts advise leaving the uninstalling of DMOSK to dedicated anti-malware products, after which, users should change their passwords.
DMOSK may include many Command & Control commands and modular capabilities beyond those that are verifiable. Whatever the extent of its payload is, its presence means giving your computer over to a stranger, and with it, the rest of the associated network.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.