Malware writers have devised lots of social engineering tactics to lure users into their scheme. This time around, we saw a Trojan passing itself off as a Trend Micro component as a way to trick users into downloading and executing it.
We recently encountered a file and noticed the following properties (see below). For the untrained eye, this file can be mistaken as a Trend Micro product/component. But during our analysis, we verified this file as a Trojan in disguise. We believe that by spoofing Trend Micro properties, the people behind this threat are hoping to trick unwitting users into executing the file. This malware is already detected by Trend Micro as TROJ_RIMECUD.AJL.
When user executes TROJ_RIMECUD.AJL, it creates the process svchost.exe where it injects its malicious code. Once done, the malware downloads a component package (refer to Figure 2).
