Double-Gun Trojan which uses game plug-in to spread [360totalsecurity]
by CIRT Team
In July 2017, 360 Security Center discovered the first virus Trojan infected with MBR and VBR. It was named “Double- Gun”. In the following year, we found that the virus author frequently updated the virus version to increase the profitability and ability to fight against security software, and the virus transmission channels are constantly changing.
Recently, we found that the latest version of the “Double-Gun” Trojan (referred to as “Double-Gun 4”) on the basis of the original virus module, which increased the hijacking of the virus module of the e-commerce website. According to the related analysis, we found that the virus module is a sub-module of the virus disclosed by other experts. Also, based on the debugging information of the two family virus samples, we found that these two types of Trojans should be from the same virus author.
Double-Gun 4 uses the virus module to achieve traffic hijacking on the e-commerce website. Based on the timing of the virus update, the virus author should be thinking about making a traffic promotion during the November shopping period. Fees, the benefits of a single homepage lockout can no longer meet the greedy desire of the virus writer, hence the writer has targeted the “Double-Gun” to a larger battlefield.
Double-Gun 4 Trojan uses a game plug-in in a digital resource network, a large number of download stations such as the West West Software Park, Snail Entertainment Network and so on. Take a game plug-in called “Anti-war Contract” as an example to restore the entire infection process. On the download page, users can see that they only need to replace log.dll with the anti-war game directory. What the user does not know is that log.dll is actually a Trojan releaser for releasing subsequent virus modules. Screenshot of the virus download page:
After log.dll is replaced in the anti-war game directory, it will be loaded by the LoadingOptimize.exe process with the start of the anti-war game, release the virus file orange.dll, and call its export function StartEngine. After these, the export function will be calculated according to the current calculation.
For more, click here.