Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Reflo
This threat is a Win64 Trojan from the Reflo family, leveraging the known r77-rootkit for deep system compromise, stealth, and persistence. It utilizes reflective DLL loading, extensive API hooking, and abuses legitimate Windows utilities like mshta, PowerShell, BITS, and scheduled tasks to maintain control and evade detection.
Relevant strings associated with this threat: - ?ReflectiveDllMain@@YAHPEAE@Z (PEHSTR_EXT) - \CRYPTOCOIN\rootkit\r77-rootkit-master_1.3.0\r77-rootkit-master\vs\x64\Release\r77-x64.pdb (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
e462b4cd9a58c4cd538e4d87406fa8659661d260c1eb83f157ba2dd891a3972eImmediately isolate the infected system. Due to the rootkit capabilities, a clean reinstallation of the operating system is strongly recommended to ensure complete eradication. Additionally, change all credentials used on or accessed from the compromised system and investigate for signs of lateral movement or data exfiltration.