In recent months we have seen a spike in events associated with Taurus loader. Although Taurus has already been covered extensively by researchers, we think its spreading method was left untouched by the security community. This method allows this malware to generate new samples and infect new devices continuously.

Our research saw Taurus being downloaded using promoted cracked software sites. An individual trying to download pirated installations, using Google search engine, will discover sites containing this informative GIF:

It will instruct the unsuspecting user through the installation process of the illicit software of his or her choosing. Alas, following this interactive guide will result in an installation of Taurus loader. This social engineering trick increases the infection rate by allowing even non-technical users to successfully execute this evasive malware. To top it all, the download page is protected from bots by captcha, effectively preventing researchers from automatically extracting Taurus’ payloads.

Another less documented aspect of Taurus is its final payload decryption, which is achieved using a specially crafted machine code snippet. As detailed in our previous piece, Taurus uses AutoIt to perform various evasion techniques, and if a machine is deemed “safe” a payload will be decrypted in memory and executed. Instead of implementing its decryption algorithm in AutoIt, the malware developers have chosen to write an assembly implementation of their chosen stream cipher, RC4.

The RC4 encryption routine, as seen in Hex-Ray’s decompiler:









Minerva prevents Taurus loader with our hostile environment simulation, preventing the malware from using its own code:




















https://chcracked[.]com/ (the site redirects to the malicious website)




You can learn more about how Minerva’s technology can prevent even the stealthiest of malware attacks, by contacting us today.