Golroted is the detection for Hawkeye which is a simple keylogger used by Nigerian scammers who targeted small and medium-sized businesses on 2015. This enabled the scammers to obtain information and knowledge about their victims’ partners, affiliates and business contacts to launch more scams, and move laterally across larger organizations related to the original victims.

Golroted is distributed in Microsoft Word, Microsoft Excel and Rich Text Format files through phishing emails. The attachment contains encrypted malware code hidden within the document. The Trojan-Spyware sends the stolen information to the email address of the malware author via Simple Mail Transfer Protocol (SMTP).

As an example: Microsoft Excel contains only macro code while Microsoft Word has additional embedded image with macro code.

This Trojan-Spyware steals the following:

• Computer Information (OS info, IP, System Privileged)
• User names and passwords of games such as Minecraft
• File Transfer Protocol (FTP) clients or file manager software stored account information
• Email credentials of popular mail clients
• Browser’s user names, passwords and hostnames
• Logs user's keystrokes

Behaviors

• Add Image File Execution Options in registry to prevent anti-virus programs from executing
• Terminates itself when executed in a sandbox environment.

Capabilities

• Information Theft
• Propagation

Impact

• Financial Loss - steals financial information of user by stealing browser information.
• Compromise system security - Disables user’s security software
• Violation of user privacy - gathers user credentials, logs keystroke and steals user information

Infection Routine

File Reputation

Behavior Monitoring

Predictive Machine Learning

Web Reputation

Anti Spam