Surtr Malware
Surtr is a malware family that has been used against Tibetan activists between 2012 and 2014 exclusively – however, it is possible entirely that the original attackers are still using modified variants of Surtr in other campaigns. The original attacks were carried out with the help of fraudulent emails that claimed to come from renowned Tibetan community members – the emails contained three different attachments, but the outcome of running any of them was always nefarious. All attachments contained a macro script that abuses known Microsoft Office vulnerabilities like CVE-2012-0158 – if the victims used an outdated version of their Office software, they would get infected by the Surtr Malware.
Once running, the Surtr Malware creates several folders in the %APPDATA% directory that will be used to store its components, as well as preserve some of the data it collects during the attack. The malware gains persistence by adding a Windows Registry key that commands the operating system to launch the Surtr Malware whenever the computer boots up.
Once active, the primary purpose of the Surtr Malware is to fetch a secondary payload from a remote control server. However, it also can establish a connection to the server in question and wait for commands submitted by the attacker. The operators of the Surtr Malware could command the payload to:
- List directories and files on the local hard drive and removable storage devices.
- Download and execute files from a remote URL.
- Initialize a keylogger module that will store the logs on the victim's computer, and exfiltrate them periodically.
- Execute remote commands.
All evidence shows that the Surtr Malware has been used in targeted attacks against a specific group of individuals only. However, it is not a secret that high-profile threat actors often reuse their code and projects in future campaigns, so it would not be surprising if the Surtr Malware is still being used. Thankfully, you can protect your system from threats like this one easily by applying the latest updates to all software you use, as well as making sure to rely on a trustworthy anti-virus software suite.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.