Tweet

TrendLabs engineers noted a recent malicious scheme that attempts to spoof an Adobe update but is actually a Trojan variant detected as TROJ_FAYKDOBE.A. This malware bears identical icons and version details to an Adobe update, which enables it to bypass antivirus software and system analysts and to trick users into believing that it is legitimate.

Once executed, TROJ_FAYKDOBE.A drops other malicious files detected as BKDR_VB.JGT, BKDR_VB.JHM, and BKDR_VBBOT.AP. These files perform different but complementary functions. BKDR_VBBOT.AP acts as the main component and connects to specific servers to listen to commands from a remote user. It also loads BKDR_VB.JHM, the malware used to retrieve data, to launch a process in both local and remote machines, and to terminate certain running processes. Lastly, BKDR_VB.JGT serves as a proxy server, which allows remote users to access affected systems.

This scheme also brings to mind another incident in Vietnam wherein a Trojan backdoor detected as BKDR_VBOT.A disguised itself as VPSKeys. This malware is used to establish a botnet designed to spy on an infected system and to participate in distributed denial-of-service (DDoS) attacks. It also drops BKDR_VBBOT.AP. Like TROJ_FAYKDOBE.A, BKDR_VBOT.A was also written using the Visual Basic language and posed as a legitimate software to trick users into downloading it onto their systems.

Trend Micro™ Smart Protection Network™ protects users from these threats by preventing the download and execution of malicious files like TROJ_FAYKDOBE.A, BKDR_VB.JGT, BKDR_VB.JHM, BKDR_VBBOT.AP, and BKDR_VBOT.A.