Chinese Trojan targets cloud-based AV technologies

A Trojan that tries to obstruct cloud-based antivirus technology present in major AV solutions offered by Chinese security firms is targeting users by posing as a video player and other popular software.

According to Microsoft’s researchers, the attackers use social engineering techniques to get the victims to install the Trojan – called Bohu – on their system.

Once inside, the malware tries its best to not get noticed by the AV solution by modifying its payload components in such a way as to bypass hash-based detection.

Having achieved that goal, it tries to installs a Windows Sockets service provider interface (SPI) filter in order to block network traffic between the cloud security client and server and, for good measure, a Network Driver Interface Specification (NDIS) filter to impede the antivirus client to send any data to the server for further analysis.

“Bohu is part of the first wave of malware that specifically targets cloud-based antivirus technology,” say Microsoft’s researchers.