Delaware, USA – April 20, 2018 – This week, researchers from Palo Alto Networks published an investigation into the new multifunctional malware that is currently being used in attacks against organizations worldwide. They dubbed it SquirtDanger by the name of the DLL it uses in attacks. The virus is written in C # and has many capabilities for cyber espionage and malicious activity. It can collect system information and take screenshots, download and run additional files, steal passwords, cryptocurrency wallets and valuable data, delete files and kill processes. After execution, malware achieves persistence on the exploited machine via scheduled tasks running every minute.
Currently, the researchers found more than 1200 unique SquirtDanger samples associated with 119 C&C servers, mainly located in France, Russia and the Netherlands. Also, they were able to determine SquirtDanger author, it turned out to be TheBottle, a well-known malware creator, selling it on various underground forums.
The delivery methods for this malware are different in each campaign but researchers suggest that the primary vector of distribution is infected legitimate software. In the hands of an advanced hacker group, this tool can inflict a lot of damage to the attacked company. SquirtDanger malware communicates with C&C servers via raw TCP connections and downloads and transfers data using HTTP. To detect traffic spikes on your network, you can use your SIEM with Netflow Security Monitor, which enables real-time traffic profiling for all common network services.