Grobios Trojan

The Grobios Trojan is a backdoor Trojan that receives commands from an external server for controlling your PC. Attacks of this nature may show no symptoms but can be responsible for collecting your information or hijacking your PC for botnet-related misdeeds. Always have a dedicated anti-malware program available for removing the Grobios Trojan on sight, and scan any infected PC for identifying any other threats that it might install automatically.

Trojans Coming through Your Browser and Straight to Your PC

While many of the most notorious exploit kits are no longer active, some, such as the RIG Exploit Kit, remain in periodic use for circulating different threats, including both file-locking Trojans and ones exhibiting backdoor features. Out of the second category, malware experts are just confirming the Grobios Trojan, which is using a hijacked, Australian domain for its starting infection vector. A victim's Web browser needs only to load the site without any additional protection, and scripts enabled, for subjecting itself to a drive-by-download attack from the RIG Exploit Kit, which drops and executes the Grobios Trojan.

Both this attack and the Grobios Trojan's installation include several means of concealing the infection and the program's identity, such as anti-Virtual Machine detection and code-packing with PECompact. The Grobios Trojan also creates several copies of itself in multiple locations, all of which use inaccurate names for looking like legitimate programs. After this installation, malware experts are noting that the Grobios Trojan runs as an injection into a Windows process, which removes any memory process-based evidence of its presence.

If none of its anti-analysis environment checks trigger, the Grobios Trojan proceeds with connecting to a remote server. It can receive and implement various commands under different conditions, and it also accepts an additional, specified IP address as a parameter for a new host for taking extra instructions. Initially, the Grobios Trojan connects to one of two, hard-coded domains, suggesting that the threat actors have a high degree of confidence in the stability of these domains in the C&C infrastructure.

Stopping Wrong Downloads as They Just Get Started

The ongoing abuse of the RIG Exploit Kit's capabilities requires all Web surfers to take appropriate, browser-specific precautions for protecting their PCs. While malware analysts are only verifying any Grobios Trojan installers at one site (latorre.com.au), the RIG Exploit Kit also sees use in other campaigns for both backdoor-capable threats and ones using non-consensual data encryption for locking files. Updating all software and disabling vulnerable Web content, such as JavaScript, can reduce the vulnerability of your PC to an EK's attacks.

The Grobios Trojan is a flexible backdoor Trojan that criminals could use for installing other threats, transferring data, such as passwords, to their servers, or committing the infected system to attacks or criminal activities like non-consensual Bitcoin-mining. However, this Trojan also maintains its persistence with a high degree of self-obfuscation and displays neither an individual memory process nor executable file for the user. Rely on traditional anti-malware solutions for eliminating a Grobios Trojan infection or detecting and blocking an installation exploit.

The Grobios Trojan campaign is, overall, a professionally-run one that obligates itself to conduct attacks with a high degree of negative security implications, while not leaving the threat excessively vulnerable to simple analysis or security solutions. People believing that they no longer need to worry about Exploit Kits should think twice, since nothing more convoluted than visiting the wrong website is, still, a straightforward way of infecting your computer.