Fake 7-Zip app detected. Downloaded and definitely addicted to malware.

Fake 7-Zip app detected. Downloaded and definitely addicted to malware.

Software for file compression can be called many, but there are only a few familiar ones, such as WinZip, WinRar, and 7-Zip, the latter of which has become an issue, but not from WinZip and WinRar security vulnerabilities, but from negative name impersonators.

According to a report by the official website of anti-malware developer Malwarebytes, a member of the famous web board Reddit inside the r / pcmasterrace room came up with a thread about the detection of fake 7-Zip software, which the PC Builder said downloaded fake 7-Zip software from the 7zip [.] com website after watching a video of the tutorial on Youtube and then acknowledged that the official 7-Zip website was 7-zip.org not the site.

The user also revealed that after downloading the file on the USB drive and installing it on the newly assembled machine, a 32-bit versus 64-bit Error occurred so often that it was uninstalled. After about two weeks, the Windows Defender has a malware detection alert called Trojan: Win32 / Malgent! MSR, making it predictable to come from the fake 7-Zip software.

This fake 7-Zip software. The Installer was checked and found to be a modification of a real installation file called 7zfm.exe. But the file has a Cetificate signed under the fake company name Jozeal Network Technology Co., Limited. The certificate has been detected as Revoke. This file, if installed successfully, will work exactly like a normal 7-Zip, but there are three additional Components included.

Uphero.exe - Service Manager and Update Manager (Update loader)

Hero.exe - A file compiled with the Go language acts as the main Proxy Payload to turn the victim's machine into a Proxy Node so that a third party (3rd Party) can send data by relying on the victim's IP number.

Hero.dll - Library File (Library) Support

The set of files is placed in the System C: WindowsSysWOW64hero folder, a folder that has a high degree of Privilege access permissions, which is often unchecked. It was also found that the set of files used an update channel independent of the installer using the update.7zip [.] com / version / win-service / 1.0.0.2/Uphero.exe.zip channel.

The main malware files.exe retrieves the configuration from the commutated C2 or Command and Control domain, but all under the "smshero" theme to create Outbound Proxy through port 1000 or 1002. In addition, the research team also found that XOR encryption with key 0x70 was used to hide the command message. After the victim's machine became a Proxy Node under the hacker's Infrastructure network, the victim's IP number was taken. These proxy applications will also be resold to other cybercriminals, used for fraud, identity concealment, or for advertising.

In addition to its core capabilities, malware also has the ability to avoid being detected variously, e.g.

Detecting simulated environments like VMware, VirtualBox, QEMU and Parallels.

Anti-Debugging

Verification that Runtime API resolution and PEB are in use

Monitoring of the system environment (Environment), including Process Enumeration and Registry Probing

In addition to that, the research team also found that the malware has support for a variety of encryption systems to protect data traffic (Traffic), such as AES, RC4, Camellia, Chaskey, XOR encoding, and Base64.

Call it that such malware is dangerous, and indeed malicious, so readers must be careful to check the software download source first whenever the download is installed on the machine for safety.

# Trending # Lemon 8 Howtoo # lemon 8 diary # ZIP # freedomhack