Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

How to analyze Trojan with ANY.RUN

Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 300
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1589
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1935
comments 0

What is a trojan malware?

According to the standard trojan malware definition, it is malicious software that pretends to be legitimate in order to deceive victims into downloading and executing it.

However, attackers now frequently distribute trojans via loaders, and as a result, advanced disguises are unnecessary and may not go beyond simply mimicking the name of a legitimate process. Additionally, trojan attacks often make use of social engineering tactics, spoofing, and phishing to persuade the user to take the desired action.

The most common purpose for these malicious programs is to gain unauthorized access to a user's computer and extract sensitive files and data, including credit card information and private email addresses. Trojans are often used to distribute other types of threats, including ransomware that encrypts users’ files and demanding payment for their decryption.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

What can a trojan do to a computer?

The core functionality of such malware can vary significantly depending on its type (e.g., remote access trojan or trojan spyware). However, the most common features include:

  • Data theft: Steals sensitive data from the infected computer, such as passwords, credit card numbers, and social security numbers.
  • Keylogging: Records all keystrokes typed on the infected computer.
  • Remote access: Lets attackers to remotely control the infected computer.
  • Downloading and installing other malware: Drops extra payloads on the infected computer.
  • Modifying system files: Modifies system files to disable security software, create backdoors, and perform other malicious activities.
  • Spreading through network connections: Spreads to other computers on the same network.

Some types of this computer virus can target specific spheres. For instance, banking trojan malware is designed to steal banking credentials and other sensitive financial information, such as credit card and social security numbers. They can also be used to take over a user's online banking account and perform fraudulent transactions.

How do trojans spread?

Attackers have devised a variety of methods for infiltrating computers to deploy a trojan virus, including email attachments, infected websites, and file sharing platforms. When a user interacts with these sources by downloading and executing a malicious file, the trojan can be installed on their device without their knowledge.

Email phishing campaigns remain the most common vector of infection. Social engineering plays a significant part in how criminals manage to carry out successful attacks involving trojans.

Their tactics may include sending out thousands of spam emails on the part of a trusted entity, such as an actual brand or government organization, or using intimidation to scare the victim and persuade them to perform harmful actions.

For instance, criminals behind one of the phishing campaigns aimed at spreading the STRRAT trojan targeted individuals on behalf of the MAERSK shipping corporation.

How can a trojan gain access to a computer?

A typical trojan malware infection chain follows these steps:

  1. Initial access: Typically, an unknowing user downloads a trojan as an email attachment or a file from a website.
  2. Execution: Once the trojan is delivered to the victim's computer, it typically installs itself by exploiting a vulnerability in the operating system or in other software applications.
  3. Persistence: Once installed, the trojan tries to persist on the system to continue running even after the victim reboots their computer. This may be done by modifying the system registry or by installing itself as a system service.
  4. Privilege escalation and lateral movement: The malware then attempts to gain higher permissions on an infected system by exploiting security gaps. In many cases, the malicious program manages to disseminate across the entire network through lateral movement.
  5. Collection and exfiltration: In this stage, the trojan gathers the information from targeted systems and exfiltrates it to a remote server called the command-and-control center (C2). It may also communicate with the C2 to download additional malware or receive commands.
  6. Impact: Some trojans may disrupt organizations’ operations by tampering with data and interrupting internal processes. For instance, ransomware trojans can encrypt files and, thus, prevent a targeted company from functioning.

Remcos process tree Execution processes of Remcos displayed by the ANY.RUN malware sandbox

Using the Remcos trojan as an example, we can trace this entire process in action by uploading a sample of this malware to the ANY.RUN interactive malware sandbox.

The Remcos trojan can be delivered in different forms. In our case, the entire infection chain starts with an executable file, which, once launched, initiates a VBS script that runs a command line and drops an executable file. This file is the main payload, which carries out malicious activities such as stealing information, changing the autorun value in the registry, and connecting to the C2 server.

What are examples of the most persistent trojans today?

The threat landscape is changing by the hour and the popular trojans today may be gone forever tomorrow. To stay in the know about the latest trends in malware, as well as collect fresh indicators of compromise and samples, use ANY.RUN’s Tracker.

Here are some of the most active trojan families according to the service:

  • RedLine: This trojan poses a significant threat to users by collecting their private information and distributing various damaging programs. The versatility of the software means that it can cause considerable harm to both personal and enterprise devices, leading to financial loss and data breaches.
  • NjRAT: One of the most readily available RATs in current operation. There are plenty of educational resources providing guidance to aspiring attackers on how to use it.
  • Agent Tesla: It is a program that is marketed as legitimate software but is actually a trojan spyware that collects sensitive information about its victims. It records users’ keystrokes and interactions to obtain personal data without their knowledge.

How can I detect a trojan?

Despite the prevalence of trojan viruses, detecting them can be extremely challenging. They often use sophisticated techniques to evade detection from antivirus programs, making them a serious threat to cybersecurity.

Yet, uploading any suspicious file or link to the ANY.RUN malware sandbox can help you quickly discover if the sample under inspection is a trojan, another type of malware, or a completely safe file. The service also shows the entire execution path of the sample and displays its network traffic activity.

Additionally, ANY.RUN enables you to interact with files, links, and the infected system in a safe VM environment like you would on a normal computer.

You can also use the sandbox to gain the information needed to ensure timely malware trojan removal.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More