WisdomEyes is a trojan able to perform a series of malicious activities, such as hijacking and changing browser settings, installing other malware, and stealing personal data. Other observed behaviours include modifying system files, creating unwanted tasks and showing advertisements on the user’s computer or browser.
Often bundled with free software or found on compromised websites, the threat may appear to users as a harmless PDF file, but it in fact contains an embedded executable with malicious content.
Upon infection, the malicious file attempts to inject code into other processes. These include installing a hook to monitor the system for certain types of events in order to provide the malware with keylogging capabilities, which can be used to record and exfiltrate user data. The malware also attempts to inject code into applications such as the user’s browser in order to serve unwanted advertisements and redirect the browser to other malicious sites.
In addition, WisdomEyes reads the local host.conf file in order to profile the network configuration of the victim’s machine and look for vulnerabilities that would allow the attacker remote access.
Using SentinelOne to Treat Trojan.WisdomEyes
As of 15 July, very few signature-based malware detectors were able to recognize the latest version of Trojan.WisdomEyes, being seen in the wild as ‘Impeachers7′ and “NEWORDER.exe”
As demonstrated in the video, Trojan.WisdomEyes is automatically detected by SentinelOne and prevented from executing.
Policy Options – Detect vs Protect
‘Detect-only’ policy automatically takes appropriate mitigation measures and notifies users when a threat is detected. In the event of being compromised by Trojan.WisdomEyes, the user is immediately presented with a detection notification. This happens prior to execution of the threat as SentinelOne is able to detect the presence of the maliciously packed binary as soon as it is saved to the local disk. The policy allows the user to quarantine the threat with a one-click action. The ‘Detect-only’ policy is ideal for analysts and security teams that may wish to conduct forensic investigations. However, for most users SentinelOne’s Protect policy is likely to be more appropriate. This actively prevents execution of malicious code so that a trojan like WisdomEyes would be unable to infect the machine in the first place, making remediation unnecessary.
File hash: e9dd9064bba45849efa8924edf38a8d60e984adba828cd9d884b1e10bf8ec20a