Skip to main content

Taurus Project Stealer

Taurus Project is a combined infostealer and dropper trojan based on the older Predator spyware. It is being delivered by the Fallout exploit kit through adult video sites, and has been used to deliver both SystemBC and Qakbot

Threat ID:
CC-3625
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Published:
1 October 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Taurus Project is a combined infostealer and dropper trojan based on the older Predator spyware. It is being delivered by the Fallout exploit kit through adult video sites, and has been used to deliver both SystemBC and Qakbot

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in May 2020, Taurus Project is an information stealing trojan and downloader based on the older Predator malware. It has been used in a number of campaigns against English-speaking countries, primarily Australia, the USA, and the UK.

Delivery

Taurus Project is delivered through large-scale malvertising campaigns using the Fallout exploit kit. Users are directed to adult video websites, where their system is fingerprinted before Fallout deploys Internet Explorer or Flash exploits in order to gain access. Taurus Project is then  dropped on the affected system.

Activities

Once delivered, Taurus Project will attempt to extract sensitive user and system information before sending it to a command and control server, the address for which is provided by Fallout during delivery. If successful, it will then download and install any additional payloads.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 89.203.249[.]76
  • 111.90.149[.]143

Domains

  • casigamewin[.]com
Host indicators

SHA256 hashes

  • 84f6fd5103bfa97b8479af5a6db82100149167690502bb0231e6832fc463af13

Last edited: 1 October 2020 3:23 pm