Some time ago we observed a rare, interesting malware dropped from the Rig-v EK. Its code was depicting that it is written by professionals. Research has shown that it is a sample of Moker Trojan that was discovered in 2015 (read more here). However, for a long time, we could not find a sample with working CnC in order to do a deeper research. Finally, we found such a sample – this article will be a deep dive in its capabilities.
Distribution method
We found Moker Trojan distributed via exploit kits – in malvertising campaigns, as well as dropped from the hacked sites. Example – Rig-v EK dropping Moker:
Behavioral analysis
The malware injects itself into the svchost, and then contacts the CnC server.
Full Article