Summary
The Noon malware was previously a Visual Basic script virus which got its name by creating pop up message boxes at noon and midnight then randomly launching web browser to navigate to malicious websites on 2011. It now evolved as a Trojan spyware which is distributed by spam emails and is programmed to bypass anti-virus software and automatically install itself without any manual interference.
This malware is currently being distributed in malspam campaigns involving spam emails with product quote inquiry, shipping or delivery inquiries, fake invoice attachments, and also product order requests. This Trojan-Spyware sends the gathered data from its victims via Hypertext Transfer Protocol (HTTP) POST to malicious websites of malware author.
Behaviors
- Logs keystrokes of user
- Steals computer data such as operating system version, operating system architecture, username, user’s security identification (SID)
- Steals stored email credentials from different mail clients
- Steals stored information such as user names, passwords and hostnames from different browsers
Capabilities
Impact
- Violation of user privacy - gathers user credentials and steals user information
Infection Chain
Sample Spam – Shipping inquiry spam
Detection Coverage
Solution Map – What should customers do?
Recommendations:
Make sure to always use the latest pattern available to detect the old and new variants of Noon malware.
Threat Report:
