DarkHotel group (aka APT-C-06) modified Asruex backdoor, adding the capability of infecting PDFs, Word documents, and executables to spread infection within a targeted organization. The group is known for its stealth attacks, sophisticated techniques, and access to zero-day vulnerabilities, even more, interesting is a fresh sample of their malware exploiting a long time ago patched vulnerabilities.
Asruex backdoor has been used in targeted attacks since October 2015 allowing adversaries to download and execute files, load DLLs, modify windows registry, and terminate processes.
According to Trend Micro researchers, the variant detected as Virus.Win32.ASRUEX.A.orig is disguised as PDF files and Word documents to drop and execute its activities. The analysis shows that the new Asurex backdoor variant has been designed to exploit two old vulnerabilities that were discovered more than six years ago. The vulnerabilities are:
- CVE-2012-0158 – a critical buffer-overflow vulnerability in an ActiveX component in MS Office versions 2003, 2007 and 2010. This can lead to remote code execution in Word documents.
- CVE-2010-2883 – a stack-based overflow in Adobe products. This can enable attackers to inject code into PDFs.
The malware variant can affect targets who have been using older versions of Adobe Reader (prior to 9.4) and Acrobat (prior to 8.2.5) on Windows and Mac OS X.
What does Asruex do
As soon as the relevant Asruex Trojan infection is made the built-in sequence will be run. One of the first actions that are run is the thorough and extensive information gathering which includes the following data: running processes, module versions, file names, and disk name strings.
All of this is done in order to check whether or not the virus is running inside a debug environment or virtual machine. This security bypass check will make the virus run only if there is no such service installed on the computer.
It will proceed by searching for available network shares and installing itself on other devices on the network if possible, note that this can be done with attached removable storage devices as well. A malware of this type attempt to install backdoor modules allowing the hackers to take over control of the hosts, steal data and spy on the victims.
How to remove Asruex trojan
In order to fully remove Asruex from your computer system, we recommend that you follow the removal instructions underneath this article. If the first two manual removal steps do not seem to work and you still see Asruex or programs, related to it, we suggest what most security experts advise – to download and run a scan of your computer with a reputable anti-malware program. Downloading this software will not only save you some time but will remove all of Asruex files and programs related to it and will protect your computer against such intrusive apps and malware in the future.
Preparation before removing Asruex Trojan
Before starting the actual removal process, we recommend that you do the following preparation steps.
- Make sure you have these instructions always open and in front of your eyes.
- Do a backup of all of your files, even if they could be damaged. You should back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats.
- Be patient as this could take a while.
Step 1: Boot Your PC in Safe Mode to isolate and remove Asruex Trojan
- Hold Windows key(ÿ)+ R
- The “Run” Window will appear. In it, type “msconfig” and click OK.
- Go to the “Boot” tab. There select “Safe Boot” and then click “Apply” and “OK”.
- When prompted, click on “Restart” to go into Safe Mode.
- You can recognize Safe Mode by the words written on the corners of your screen.
Step 2: Clean any registries, created by Asruex Trojan on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by Asruex Trojan there. This can happen by following the steps underneath:
- Open the Run window again, type “regedit” and click OK.
- When you open it, you can freely navigate to the Run and RunOncekeys, whose locations are shown above.
- You can remove the value of the virus by right-clicking on it and removing it.
Step 3: Find files created by Asruex Trojan
For Newer Windows Operating Systems
1: On your keyboard press ÿ + R and write explorer.exe in the Run text box and then click on the Ok button.
2: Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
3: Navigate to the search box in the top-right of your PC’s screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be “fileextension:exe”. After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend waiting for the green loading bar in the navigation box to fill up in case the PC is looking for the file and hasn’t found it yet.
IMPORTANT!
Before starting “Step 4”, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.
Step 4: Scan for Asruex Trojan with SpyHunter Anti-Malware Tool
- Click on the “Download” button to proceed to SpyHunter’s download page.
- After you have installed SpyHunter, wait for it to update automatically.
- After the update process has finished, click on the ‘Malware/PC Scan’tab. A new window will appear. Click on ‘Start Scan’.
- After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the ‘Next’ button.
If any threats have been removed, it is highly recommended to restart your PC.