Malwarebytes researchers spotted a resurgence in use of the elusive Moker trojan, which also goes by the names Yebot and Tilo, and were able to take a closer look at its functions.
The trojan was first noticed in 2015 and is unique due to its ability to bypass and disable cybersecurity measures, achieve system privileges, be controlled without requiring internet connectivity, and it takes great care to bypass posthumous research once detected, according to an October 2015 enSilo blog post.
“For a long time, we could not find a sample with working CnC in order to do a deeper research,” researchers said in the Malwarebytes post. “Finally, we found such a sample.”
The malware uses encrypted communication and its server responds with encrypted content, then it injects itself into other applications and begins sending further requests, the Malwarebytes report said. Furthermore, researchers said the internal structure of this module is very interesting as it has self-modifying code with execution based on VEH (Vectored Exception Handers).
Moker is distributed via exploit kits and compromised sites and consists of two main modules, Stage one which is a downloader and Stage 2 which is a DLL containing the core malicious features, according to an April 21, 2017 Malwarebytes blog post.
Researchers believe the trojan has been produced and sold on the black market after possibly being abandoned by its original developers.