What is a trojan malware?

According to the standard trojan malware definition, it is malicious software that pretends to be legitimate in order to deceive victims into downloading and executing it.

However, attackers now frequently distribute trojans via loaders, and as a result, advanced disguises are unnecessary and may not go beyond simply mimicking the name of a legitimate process. Additionally, trojan attacks often make use of social engineering tactics, spoofing, and phishing to persuade the user to take the desired action.

The most common purpose for these malicious programs is to gain unauthorized access to a user's computer and extract sensitive files and data, including credit card information and private email addresses. Trojans are often used to distribute other types of threats, including ransomware that encrypts users’ files and demanding payment for their decryption.

What can a trojan do to a computer?

The core functionality of such malware can vary significantly depending on its type (e.g., remote access trojan or trojan spyware). However, the most common features include:

• Data theft: Steals sensitive data from the infected computer, such as passwords, credit card numbers, and social security numbers.
• Keylogging: Records all keystrokes typed on the infected computer.
• Remote access: Lets attackers to remotely control the infected computer.
• Downloading and installing other malware: Drops extra payloads on the infected computer.
• Modifying system files: Modifies system files to disable security software, create backdoors, and perform other malicious activities.
• Spreading through network connections: Spreads to other computers on the same network.

Some types of this computer virus can target specific spheres. For instance, banking trojan malware is designed to steal banking credentials and other sensitive financial information, such as credit card and social security numbers. They can also be used to take over a user's online banking account and perform fraudulent transactions.

How do trojans spread?

Attackers have devised a variety of methods for infiltrating computers to deploy a trojan virus, including email attachments, infected websites, and file sharing platforms. When a user interacts with these sources by downloading and executing a malicious file, the trojan can be installed on their device without their knowledge.

Email phishing campaigns remain the most common vector of infection. Social engineering plays a significant part in how criminals manage to carry out successful attacks involving trojans.

Their tactics may include sending out thousands of spam emails on the part of a trusted entity, such as an actual brand or government organization, or using intimidation to scare the victim and persuade them to perform harmful actions.

For instance, criminals behind one of the phishing campaigns aimed at spreading the STRRAT trojan targeted individuals on behalf of the MAERSK shipping corporation.

How can a trojan gain access to a computer?

A typical trojan malware infection chain follows these steps:

1. Initial access: Typically, an unknowing user downloads a trojan as an email attachment or a file from a website.
2. Execution: Once the trojan is delivered to the victim's computer, it typically installs itself by exploiting a vulnerability in the operating system or in other software applications.
3. Persistence: Once installed, the trojan tries to persist on the system to continue running even after the victim reboots their computer. This may be done by modifying the system registry or by installing itself as a system service.
4. Privilege escalation and lateral movement: The malware then attempts to gain higher permissions on an infected system by exploiting security gaps. In many cases, the malicious program manages to disseminate across the entire network through lateral movement.
5. Collection and exfiltration: In this stage, the trojan gathers the information from targeted systems and exfiltrates it to a remote server called the command-and-control center (C2). It may also communicate with the C2 to download additional malware or receive commands.
6. Impact: Some trojans may disrupt organizations’ operations by tampering with data and interrupting internal processes. For instance, ransomware trojans can encrypt files and, thus, prevent a targeted company from functioning.

Execution processes of Remcos displayed by the ANY.RUN malware sandbox

Using the Remcos trojan as an example, we can trace this entire process in action by uploading a sample of this malware to the ANY.RUN interactive malware sandbox.

The Remcos trojan can be delivered in different forms. In our case, the entire infection chain starts with an executable file, which, once launched, initiates a VBS script that runs a command line and drops an executable file. This file is the main payload, which carries out malicious activities such as stealing information, changing the autorun value in the registry, and connecting to the C2 server.

What are examples of the most persistent trojans today?

The threat landscape is changing by the hour and the popular trojans today may be gone forever tomorrow. To stay in the know about the latest trends in malware, as well as collect fresh indicators of compromise and samples, use ANY.RUN’s Tracker.

Here are some of the most active trojan families according to the service:

• RedLine: This trojan poses a significant threat to users by collecting their private information and distributing various damaging programs. The versatility of the software means that it can cause considerable harm to both personal and enterprise devices, leading to financial loss and data breaches.
• NjRAT: One of the most readily available RATs in current operation. There are plenty of educational resources providing guidance to aspiring attackers on how to use it.
• Agent Tesla: It is a program that is marketed as legitimate software but is actually a trojan spyware that collects sensitive information about its victims. It records users’ keystrokes and interactions to obtain personal data without their knowledge.

How can I detect a trojan?

Despite the prevalence of trojan viruses, detecting them can be extremely challenging. They often use sophisticated techniques to evade detection from antivirus programs, making them a serious threat to cybersecurity.

Yet, uploading any suspicious file or link to the ANY.RUN malware sandbox can help you quickly discover if the sample under inspection is a trojan, another type of malware, or a completely safe file. The service also shows the entire execution path of the sample and displays its network traffic activity.

Additionally, ANY.RUN enables you to interact with files, links, and the infected system in a safe VM environment like you would on a normal computer.

You can also use the sandbox to gain the information needed to ensure timely malware trojan removal.

Try ANY.RUN for free – request a demo!