SocksBot Trojan

Attack Type: InfoStealer/Trojan

Commentary: The SocksBot Trojan is delivered through spear phishing emails via a complicated infection chain comprised of highly obfuscated PowerShell and JavaScript based droppers. The spear phishing emails target financial companies within CIS Countries with spoofed contracts containing URLs that lead to the malicious payloads. The PowerShell scripts look for running anti-virus processes, establish persistence, bypass UAC protection, and drop and execute the SocksBot Trojan by injecting it into running processes. This technique means that it exists only in memory and never touches the disk, allowing it to leave almost no trace. Its Trojan capabilities include enumeration of the processes (process list), screenshots, download and upload ability, execution of files, and to spawn and inject new processes. The C2 communications happen via sockets.