(...)
Talos observed an increase in ‘Generic Trojans’ across our telemetry - which is generally a binary exhibiting malicious intent/behavior, but may have no current associated ‘family’ or any other identifying features. Digging into this ‘Generic Trojan’, Talos observed many interesting things such as a repetitive file naming convention, URLs hosting the specific binaries, detection avoidance behavior and other earmarks of malicious intent. Within Talos, we use a multitude of sandbox environments in order to perform large scale analysis on malicious binaries which we used to analyze the ‘Generic Trojan’. The interesting development came when specific binaries failed to execute in some of our sandbox environments which led us to perform a more thorough analysis. As a result, we found the install base for this software to be approximately 12 million machines across the Internet. Installed with administrator rights, the software is able to harvest personal information, and install + launch executables uploaded by the controlling party.