A piece of malware is now new and improved and back in action using fresh techniques to attack users.
Sefnit, the botnet infection first spotted in September of 2013 and triggered alarms earlier this year when researchers warned millions of systems could suffer infection from the malware. One of Sefnit’s strengths was using the Tor network as a means of avoiding detection.
Microsoft researcher Jeff McDonald said a while ago the malware was using Tor to hide its command and control servers, directing traffic through the online network before connecting infected machines with their control servers.
The Sefnit infection is back, albeit without the use of a Tor client, said researchers at Facebook. Security experts working with the social network spotted the infection spreading in the wild.
This time, the researchers said, the Sefnit malware is operating without the use of Tor, instead establishing direct connections via a secure Plink connection with one or more command and control servers. The malware, which initially tries to hide itself as a Windows Theme system file, operates as a pair of executables.
In a detailed roundup of the infection, the researchers are hoping to provide administrators and security teams with details that can help detect the new code, which they say appears to have come back to life in late March. The researchers listed thirty domains which have already been associated with the malware infections.
Once installed, the malware uses its control servers to receive orders or, download additional payloads.