Exaramel
Exaramel is a backdoor Trojan that's an update of the Industroyer or CrashOverride family of the same. Exaramel provides the threat actor with access to the PC for sabotaging hardware or collecting confidential information. Users should monitor network vulnerabilities for preventing infections and let advanced anti-malware solutions handle removing Exaramel.
Trojan Spies and Saboteurs Refusing to Stand Still
Threatening software development is static in any well-funded criminal enterprise rarely. Rather than replacing their tools wholesale, however, threat actors like TeleBots often will re-purpose old software for new attacks. The backdoor Trojan Exaramel is an excellent example of this philosophy, especially – and in more ways than one.
Exaramel bears numerous coding similarities to the infamous Industroyer, whose moniker came into being after it enabled attacks against the Ukrainian energy sector. They use a similar command format and loop, thematically-reminiscent disguises involving mimicking anti-virus software, and other points of commonality. While the ultimate aim of the notorious Industroyer incident was blackout-based sabotage, Exaramel, and Industroyer (or CrashOverride) are capable of launching a variety of invasive attacks through their backdoor features.
A quick overview of the capabilities at Exaramel's disposal includes:
- Launching processes (optionally, under a specific user).
- Executing shell commands (again, with or without a particular user).
- Executing Visual Basic scripts.
- Writing file data.
- Copying content to a concealed directory for uploading.
Exaramel comes in both Linux and Windows variants, although the above feature set is specific to Windows. Its Linux attacks remain in keeping with traditional backdoor Trojan activities, such as uploading or downloading, more shell commands, proxy services, self-updating and self-deletion.
Quick-Swap Disguises for Hiding Trojans
Exaramel is mostly of historical importance for confirming the ongoing hacking campaigns of TeleBots and the connections between finance sector-targeted campaigns and industrial energy ones. It also is of note that Exaramel's confirmed target list includes non-industrial victims, as well. The difficulty in establishing these facts has been partly thanks to Exaramel's being re-compiled with customized attributes on a per-attack basis.
Although Exaramel is likely to pretend that its servers and local components are parts of ordinary security software activity, the particular brand it imitates is up in the air. Its choice of a mask may be determined indirectly by the victim; for example, an environment using ESET products is likely to experience TeleBots attacks that use that brand for their disguise of preference.
Victims also should be aware that many TeleBots infections are multi-threat affairs that employ both custom tools (such as CredRaptor) and generic ones (the often-seen Mimikatz). Through these utilities, they may collect passwords and compromise other machines on the network. Anti-malware scans should be thorough sufficiently that they detect all active threats and remove them along with deleting Exaramel.
Logging report formatting changes increased OS compatibility, and changes to the command list are some of the steps up that Exaramel has over its predecessor, CrashOverride. What's more important, though, is its concealed predator tactic for changing its names – by taking on the face that most suits the prey of the moment.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.