Trojan Mimicks Windows Activation Interface – KardPhisher


Recently a new Trojan popped up that mimics the Windows activation interface, phishing for credit card details and even the PIN number.

The Trojan itself isn’t particularly advanced technically, it’s mostly just a social engineering attack.

Kardphisher

Symantec is reporting on a Trojan horse that mimics the Windows activation interface.

What they are calling Trojan.Kardphisher doesn’t do most of the technical things that Trojan horses usually do; it’s a pure social engineering attack, aimed at stealing credit card information. In a sense, it’s a standalone phishing program.

Once you reboot your PC after running the program, the program asks you to activate your copy of Windows and, while it assures you that you will not be charged, it asks for credit card information. If you don’t enter the credit card information it shuts down the PC. The Trojan also disables Task Manager, making it more difficult to shut down..

It’s a pretty interesting attack and it shows malware creators are getting more innovative, rather than looking for technical solutions and how to hide their key-loggers etc. they are just looking at ways to make the interface look more legitimate so unwary users give their information away themselves.

Running on the first reboot is clever. It inherently makes the process look more like it’s coming from Windows itself, and it removes the temporal connection to running the Trojan horse. The program even runs on versions of Windows prior to XP, which did not require activation.

This is not an attack that will sneak by you. The executable is nearly 1MB large. But if you find yourself in this situation you should be able to disable it in Windows Safe mode by removing the registry keys described in the Symantec writeup and deleting the program it points to. Updated antivirus software should also be able to remove it.

You can also read more about the Trojan on the Symantec page:

Symantec – Trojan.Kardphisher

Source: PCMag

Posted in: Malware, Social Engineering, Windows Hacking

, , , ,


Latest Posts:


Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc


4 Responses to Trojan Mimicks Windows Activation Interface – KardPhisher

  1. Bogwitch July 4, 2007 at 5:50 pm #

    Again, some old news – the Symantec report is from April!
    However it does raise some interesting possibilities. What’s next? Replacing MS Office components with Trojan startup? Other applications?

  2. Darknet July 5, 2007 at 5:38 am #

    Bogwitch: Yeah this was noted a while back, but got passed over. It’s still interesting and relevant in the evolution of Malware though.

  3. Sandeep nain July 6, 2007 at 7:34 am #

    Well.. its a shame that people are still unaware and usualy get stung with such malwares….

  4. SN July 10, 2007 at 1:59 pm #

    This is cool.
    -SN