Poison Frog
The Poison Frog is a backdoor Trojan leveraged by OilRig, a threat actor with Iran-based support. While it's small unusually, for a Trojan of its type, it includes several attack-enabling features, including uploading stolen files or executing commands. Users can protect themselves with active anti-malware services for deleting the Poison Frog or its installer when necessary.
The Smallest Bit of PowerShell Poison in Your PC
The decades-long evolution of the software industry is an overall boon for humankind, but also shows that a lot of harm can come out of just a few lines of a corrupted code. The programming behind the Poison Frog, a new, PowerShell-run backdoor Trojan, is expressive of that truth incredibly. This Trojan's installer deletes itself, leaving behind only a few dozen lines of PowerShell code. However, the script can provide an attacker like OilRig hackers with everything they need for further recon and infiltration.
The Poison Frog is another tool of that Iranian threat actor, alongside BONDUPDATER (another backdoor Trojan), TONEDEAF, Pickpocket, and third-party utilities like Mimikatz. The group focuses on espionage versus government and business networks of interest to the Iranian government and may use social engineering tactics for infecting systems. The Poison Frog keeps to this theme by pretending that it's a version of Cisco AnyConnect, a remote system access program.
While it distracts the user with AnyConnect-themed pop-ups, the Poison Frog sets up system persistence with the Windows task scheduler and wipes its installer. What's left of the Poison Frog is just under sixty lines of PowerShell code that can:
- Execute commands from the attacker's server
- Upload specified files to the server
- Save files locally
These features are bare-minimum but could let the Poison Frog install other Trojans, collect passwords or other credentials, and compromise other, network-available systems. As of malware experts' last look at samples of the backdoor Trojan, most versions of Windows are at risk.
Pest Control at a Cheap Price
The Poison Frog doesn't fully duplicate the features of Cisco's software. As a simpler alternative, the Trojan hides behind a non-working connection UI that throws a server error message. However, this disguise could trick some users into believing that the problem is with their Internet connection or a temporary server outage, as opposed to fraudulent software.
Some versions of the Poison Frog include self-defeating typos that prevent the Trojan's functioning, but users shouldn't act on the assumption of this slim chance of good fortune. In most cases, the Poison Frog accomplishes its intended goals and can deliver the compromised system over to an OilRig member acting as administrator. Furthermore, thanks to its self-cleanup routine, there are few pieces of evidence of a Poison Frog infection.
As always, malware researchers recommend using download links from trusted sources, only, and scanning new files before taking the risk of opening them. Standard anti-malware tools should detect and delete the Poison Frog, whose small size allows for little in the way of evasion techniques.
The combative and unpredictable moods of Middle Eastern politics remain part of the cyber-threat landscape, as well, with Trojans like the Poison Frog. Workers downloading their VPN software from unofficial sources should stop and ask themselves not just why they're doing so, but what they're risking from it.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.