Golroted is the detection for Hawkeye which is a simple keylogger used by Nigerian scammers who targeted small and medium-sized businesses on 2015. This enabled the scammers to obtain information and knowledge about their victims’ partners, affiliates and business contacts to launch more scams, and move laterally across larger organizations related to the original victims.
Golroted is distributed in Microsoft Word, Microsoft Excel and Rich Text Format files through phishing emails. The attachment contains encrypted malware code hidden within the document. The Trojan-Spyware sends the stolen information to the email address of the malware author via Simple Mail Transfer Protocol (SMTP).
As an example: Microsoft Excel contains only macro code while Microsoft Word has additional embedded image with macro code.
This Trojan-Spyware steals the following:
- Computer Information (OS info, IP, System Privileged)
- User names and passwords of games such as Minecraft
- File Transfer Protocol (FTP) clients or file manager software stored account information
- Email credentials of popular mail clients
- Browser’s user names, passwords and hostnames
- Logs user's keystrokes
Behaviors
- Add Image File Execution Options in registry to prevent anti-virus programs from executing
- Terminates itself when executed in a sandbox environment.
Capabilities
- Information Theft
- Propagation
Impact
- Financial Loss - steals financial information of user by stealing browser information.
- Compromise system security - Disables user’s security software
- Violation of user privacy - gathers user credentials, logs keystroke and steals user information
Infection Routine
File Reputation
Detection/Policy/Rules | Pattern Branch/Version | Release Date |
---|---|---|
TrojanSpy.Win32.GOLROTED.SMA.hp | ENT OPR 15.183.00 | June 18, 2019 |
Trojan.W97M.GOLROTED.B | ||
TrojanSpy.Win32.GOLROTED.BABBP |
Behavior Monitoring
Pattern Branch/Version | Release Date |
---|---|
TMTD OPR 1515 | February 12, 2016 |
Predictive Machine Learning
Detection | Pattern Branch/Version |
---|---|
TROJ.Win32.TRX.XXPE50FFF031 | In-the-cloud |
Web Reputation
Detection/Policy/Rules | Pattern Branch/Version |
---|---|
URL Protection | In-the-cloud |
Anti Spam
Pattern Branch/Version | Release Date |
---|---|
AS Pattern 4698 | June 20, 2019 |
Solution Map - What should customers do?
Trend Micro Solution | Major Product | Latest Version | Virus Pattern | Anti-Spam Pattern | Network Pattern | Behavior Monitoring | Predictive Machine Learning | Web Reputation |
---|---|---|---|---|---|---|---|---|
Endpoint Security | ApexOne | 2019 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
OfficeScan | XG (12.0) | Not Applicable | ||||||
Worry-Free Business Security | Standard (10.0) | |||||||
Advanced (10.0) | Update pattern via web console | |||||||
Hybrid Cloud Security | Deep Security | 12.0 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
Email and Gateway Security | Deep Discovery Email Inspector | 3.5 | Update pattern via web console | Update pattern via web console | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
InterScan Messaging Security | 9.1 | Not Applicable | ||||||
InterScan Web Security | 6.5 | |||||||
ScanMail for Microsoft Exchange | 14.0 | |||||||
Network Security | Deep Discovery Inspector | 5.5 | Update pattern via web console | Not Applicable | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
Recommendation
- Make sure to always use the latest pattern available to detect the old and new variants of Golroted malware.
- Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
- You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
- For support assistance, please contact Trend Micro Technical Support.