Home Malware Programs Malware FlowerPippi

FlowerPippi

Posted: July 5, 2019

FlowerPippi is a backdoor Trojan and a Trojan downloader that can execute various system commands and install other threats onto your system. All anticipated infection methods related to this threat use e-mail attachments or links with disguises for convincing users into interacting with them. Keep anti-malware products available for deleting FlowerPippi as early as possible, and prevent infected PCs from accessing the internet and benefitting from C&C contact.

A Toxic Flower Blooms in TA505's Garden

TA505, a long-operating group with confirmation as a persistent threat actor, is delivering old and new threats in its 2019 campaigns. Out of the most recent examples, malware researchers are pointing out FlowerPippi as being a substantial provocateur of security issues that's not reliant on old code, unlike other TA505 Trojans, like Gelup. Its campaign, like those of the other Trojan, is compromising networks in South America and Asia.

FlowerPippi is a C++ Trojan whose infection methods utilize e-mail in combination with social engineering details, such as fake invoices and other documents for fooling the recipients. FlowerPippi's opening behavior consists of collecting some user and system information and contacting the C&C server for delivering it to TA505 before further attacks commence. The Trojan uses RC4 encryption, among other techniques, for concealing its activities from any threat-analyzing software.

Malware experts are narrowing down FlowerPippi's core features to a list of just a handful of commands:

  • FlowerPippi can run 'arbitrary' system commands, such as deleting or opening files.
  • FlowerPippi may download EXE or DLL files and execute or load them. It deletes them afterward as an evidence-wiping precaution.
  • FlowerPippi also may uninstall itself via a batch file.

The Trimming of Unsightly Software Foliage

Many of the details of FlowerPippi's C&C methodology are public knowledge, and users can blacklist these domains and addresses with appropriate firewall rules. However, TA505 may update the Command & Control structure in any newer attacks. More importantly, potential victims should keep their eyes on spreadsheets, documents, and other content coming through e-mail that may constitute phishing tactics. Such an attack usually abuses macros that need the user's permission, although some alternatives involve vulnerabilities that are, frequently, fixable by patches.

Preventing FlowerPippi from contacting its threat actor and receiving instructions should be a priority for any users who suspect infection. Besides disabling Internet connections and removing the PC temporarily from all local networks, you should avoid sharing any removable devices, and passwords should be changed immediately. Traditional anti-malware products should retain their effectiveness and remove FlowerPippi properly.

It's questionable whether FlowerPippi provides more of a benefit to the attackers than its more often-seen counterpart, the FlawedAmmyy RAT. TA505 is picking between two poisons for its targets, and neither one has anything less than deadly security implications.

Loading...