Rewterz Threat Alert – “Twin Flower” Campaign Downloads Files, Steals Data

Severity

Medium

Analysis Summary

A malicious campaign called Twin Flower is found jacking up network traffic, downloading files and stealing data. The files are believed to be downloaded unknowingly by users when visiting malicious sites or dropped into the system by another malware. The files are either a component or the main executable itself of a music downloader that automatically downloads music files without user consent. It drops several files and adds the following processes to the system: The application connects to different links to retrieve MP3 file details, download MP3 files, and retrieve related images, and saves them in the user’s My Music folder. It also communicates with other potentially malicious URLs besides the ones used for MP3-related downloading. The malicious files, Trojan.JS.TWINFLOWER.A and TrojanSpy.JS.TWINFLOWER.A, try to connect to URLs that are related to increasing simulated clicks towards certain video websites. This is done to jack up the sites’ network traffic, thus boosting search engine rankings and advertising revenue from mainstream video sites. Besides these, the malicious files could potentially do more damage since the malware can download code and inject it into systems.

Impact

• Remote Code Injection
• Information Theft

Indicators of Compromise

MD5

• 82c80eb1812e436bfc0e4fa43c70180c
• a0d47f4259d55c70ec6b45b89d0c9b3b
• b13fcf559cde3b1a89bc9deb568d020d

SHA-256

• 076b8a238c17ea3a0259446ff959fffdb9d20d7cda1ffe544e110f15a39ce479
• 3c4b81990a3be7196a112598247e10d46a4e5abc47dc80ff45f238694ef2cf95
• ea73dd57209fd6f744f58af02f09cc416b3341c068aed21540e27f9471860626

Remediation

• Block the threat indicators at their respective controls.
• Strictly avoid visiting random websites, as malicious sites will download malware on the device without user’s knowledge.