T9000

T9000 is a spyware program that uses e-mail messages as its primary means of deployment. Although T9000's current campaigns are targeting US-based entities, T9000 includes a generous range of anti-security features, and information-collecting attacks backed up by modularity, making its potential victim list highly flexible. Because this threat uses multiple methods of hiding its identity from both any PC users and some popular brands of PC security products, habitually updating your anti-malware software is a critical step in identifying or removing T9000.

All the Intel on the Latest Intel-Gathering Trojan

T9000 is a modern update to a backdoor Trojan-spyware combination last seen in 2014 under the name of T5000 (or Plat1), during campaigns against automotive companies and email users interested in the Malaysian flight MH370. Its developers have supplemented previous attack capabilities with modern anti-security features intended for stopping any attempted identification or analysis of this threat. However, enough information is available to make the majority of T9000's features, as well as those shown in its active modules, clear.

The installer for T9000 uses e-mail distribution methods, concealing its Trojan dropper in the form of a file attachment such as an RTF text document. After going through a multiple-stage procedure for evading various security apps, T9000 is installed to an AppData\Intel folder, including with it various baseline backdoor features. By itself, T9000 may harvest system information, run system commands, initiate downloads or uploads, delete files, and generate or terminate processes. Malware experts also can confirm the presence of other commands with unknown functions.

Besides all of these backdoor features, T9000 also includes support for spyware modules, such as:

• Tyeu.dat captures screenshots of both the users' desktop and applications, such as their text editor. Other features also let Tyeu.dat record Skype's conversations, including audio, video and text data.
• Vnk.dat creates copies of files stored on any removable devices (USB drives, for example), emphasizing file types such as spreadsheets and documents.
• Qhnj.dat hooks itself into various Windows function calls. It can monitor used Unicode characters, as well as any file and program changes on a system-wide level.

Unplugging Skype from a Spy's Explorations

T9000's author has put significant effort into stopping various PC security companies from analyzing samples of this threat, which includes multiple checks against AV solutions, features for identifying brands like Norton or Sophos, and different installation routines under various circumstances. In turn, keeping your security software equipped with the latest in databases updates is necessary for identifying T9000 as soon as possible.

Although spyware programs rarely show any intentional symptoms of their presence, not all of T9000's modules have designs with the same attention to stealth. Tyeu.dat may create Skype usage requests through the Windows 'explorer.exe' file whenever that chat application launches, which can be a very visible sign of the presence of this threat. Paying attention to the contents of your AppData folder and Registry also can help you identify some components of T9000 or its modules.

News headlines for T9000 have focused on its Skype-monitoring capabilities. However, T9000 is sufficiently flexible and broad in its feature scope to include other attacks and forms of harm against NGOs, governments, businesses, and personal PC owners alike. As shown in past campaigns with the T5000, the costs of not monitoring your e-mail behavior and keeping updated anti-malware protection can be quite high.

Technical Details