Felipe Infostealer Trojan
The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system.
This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim’s debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine.
Felipe uses process memory dumps to obtain raw user data, it then applies an algorithm to this data to identify payment card information as well as verify it is legitimate. This information is then sent to a command and control server using an Triple Data Encryption Standard (3DES) algorithm.
Indicators of Compromise
URLs
- 192.99.215[.]95/uploads
- Inmemory[.]tech
Filenames
- down.exe
- explorer32.exe
- install2.bat
- vshost.exe
MD5 File Hashes
- 15CE8F849FFF4CC8675900EC838A93F9
- 61B06E49D514F3DC5BE4F4EF08F6B43C
- 7D016A3BB29904A6E00161694FC6AB4E
- D912771C8CD5720AD835E08EB80A77B6
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.