SCF Advanced Search

  • Total Posts: 40153
  • Total Topics: 14262
  • Online Today: 823
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Trillium Toolkit Leads to Widespread Malware  (Read 2086 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Trillium Toolkit Leads to Widespread Malware
« on: 06. March 2016., 14:52:41 »
Trillium Toolkit Leads to Widespread Malware

This blog was written by Oliver Devane and Mohinder Gill.

Any aspiring cybercriminal can buy one of many malicious toolkits to craft a downloader and distribute malware. After a time these downloaders are leaked to forums and other download sites and become available to the masses. This is often when we see a spike in their use.

The toolkit Trillium Security MultiSploit Tool v3 was cracked last week and uploaded onto several malicious forums.

Trillium was created by a coder using the same name. The program contains a EULA that mentions it should not be used maliciously, but we are well aware that these types of kits are used for generating malware.

In order to use the builder, the user needs to acknowledge the EULA by clicking on a button. So we guess everyone who is using it is violating the policy.

Whenever you use the tool to create an exploit or a downloader you are reminded yet again not to use it maliciously.

Version 1 of this this tool appeared for sale at the end of last year for US$300 on a popular hacking forum. Since then, it has been updated to Version 3.

This toolkit allows the user to create several types of downloaders. It breaks them down into three options:

• Windows shortcut exploits

• Silent exploit

• Macro exploits

Windows shortcut exploits rename an executable to a specified filename and create a LNK file that uses PowerShell to execute.

This type offers the option to use different icons and file extensions, all to trick the target into executing the LNK file.

A silent exploit creates a file that downloads and executes a specified file from the Internet. The users have the option to create the following file types:

*.chm,*.wsf, *.vbs, *.hta, *.htm, *.html, *.bat, *.cmd, *.ps1, *.psc1, *.exe, *.pif, *.scr, *.com, *.url, *.lnk

Depending on the chosen options, the toolkit will create one of the following files:

• A Powershell script

• A Visual Basic executable

• A Visual Basic script

The PowerShell script, executed as hidden, downloads and runs a file.

The Visual Basic executable downloads and executes a file.

The Visual Basic script again downloads and executes a file.

Macro exploits allow users to create a macro that will download and execute a file. This type of attack is very common today; we have seen it used to spread Dridex and other ransomware families. The tool can create several macro versions, for example:

We have already observed this toolkit being used to distribute malware. We have seen spam campaigns using the macro exploit component, for example:


 Intel Security has several drivers that detect the files created by this toolkit. Detection is included in DAT Versions 8094 and later.

• Trojan-FHYT

• Trojan-FHYU

• W97M/Downloader.azi

• W97M/Downloader.azj

• W97M/Downloader.azk

We also recommend our customers read this blog containing preventive measures against Dridex. The advice should help mitigate some of the infections seen by malware created by this toolkit.

Original article:
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

Trillium Toolkit Leads to Widespread Malware
« on: 06. March 2016., 14:52:41 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising