Detailed Analysis of a Targeted Trojan Distributed via a Fake Interview Outline

The report begins with a real‑world incident where a popular influencer received a private‑message interview outline that turned out to be a malicious executable; 360 security identified it as a trojan.

Sample information and flowcharts are provided, showing the multi‑stage payload that pretends to be a Word file (named XXXX采访提纲.exe ) but actually executes an EXE.

Upon execution, the trojan writes a temporary file to the C: drive to test write permissions, then deletes it and proceeds to unpack numerous hidden files, creating a hidden directory and launching various components such as C:\OA via explore , and extracting links.ini with a complex password.

Depending on the system architecture, it runs either Win1.bat or Win2.bat , which check for swapfile.sys to decide which encrypted .pfx file to rename to 2016mt.1r and place in C:\Windows . The batch files then invoke regedit.exe through shortcuts ( ua.lnk ) to register custom file extensions ( .1r , .3f ) and associate them with VBE and INF handlers.

The payload includes heavily encrypted VBS scripts (e.g., mew.1r , bmd.vbe ) that ultimately simulate mouse clicks to execute files in C:\$NtUninstallKB1601A$\BinBackup\MYTEMP , and write RunOnce entries to ensure persistence.

Further stages replace trusted database files (e.g., qmvext.db ) to evade detection by Tencent security products, and use a rootkit tool to delete or replace security‑software trust files.

The trojan’s remote‑control capabilities include audio recording, file upload/download, service and file management, and screen monitoring. It injects code into svchost.exe using WriteProcessMemory , SetThreadContext , and ResumeThread , loading the malicious FreeImage module.

Analysis of the command‑and‑control infrastructure reveals that the attackers host their C2 servers on Alibaba Cloud in Qingdao, using custom URLs and encrypted payloads.

Finally, the report notes that the malware family employs highly targeted distribution, gathering victim credentials beforehand and delivering customized payloads, which makes it more profitable despite higher operational costs.

The authors recommend robust security software, user awareness of unsolicited files, and prompt password changes to mitigate such attacks.