RogueAV (.BKM) Post-Compromise Traffic

This RogueAV traffic originates after a machine has been infected.

HTTP Request Method = GET
HTTP URI Fields = “*/api/test” or “*/api/ping?stage=*” or “*/html/viruslist/?uid=*” OR “*/content/scc”

Reference: http://about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au

Example: https://www.virustotal.com/file/91a07dda97e9ca7d414360cabd4a907bf3bc9945e36fd7ccfb2202c0cdad45f9/analysis/1356968033/

Comments are closed.