Trojan.Win32.Cometer.gen (virus) - Free Guide

What is Trojan.Win32.Cometer.gen?

Trojan.Win32.Cometer.gen is fileless malware designed to steal valuable information

Filess malware can be extremely dangerous, as it uses sophisticated evasion techniques

Some malware is just worse than the other, and Trojan.Win32.Cometer.gen definitely meets these criteria. Residing only in memory, this malicious program is extremely stealthy, capable of bypassing several protection measures on the targeted network, and also remaining invisible for a period of time to avoid detection. Once inside the system, it resides in memory for a while and focuses on stealing various data. Commercial sector or home consumers affected might suffer from serious financial losses, information leak, and other severe issues due to the infection.

Cometer Trojan was first analyzed by Kaspersky researchers back in 2017^[1] and remains active to this day. While the main targets of cybercriminals behind it are corporate networks, users who have adequate security measures installed on their systems might also find a warning about the incoming threat. Due to its complex nature and operation techniques, it is not always possible for anti-malware software to prevent intrusion.

Fileless malware^[2] is nothing new by new by now – we previously explored the complex and sophisticated threats like Nodersok or Astaroth several years ago. The nature of fileless malware, its ability to stay doormat for several days or even weeks, evasion techniques, and lack of traces for cybersecurity solutions to detect it makes it the prime choice for cybercriminals.

If you are interested in spreading, operating, avoidance, prevention, and mitigation aspects of Trojan.Win32.Cometer.gen, check the information below.

Spreading techniques: find out how to avoid the infection

Phishing emails

The Trojan is delivered as a file attachment to emails with malicious links or inside of a self-extracting archive. Its file extension is either .SCR or .EXE, allowing it to be easily mistaken for a legitimate application since many Windows users tend to trust such files. Besides, cybercriminals often use double extensions in order to deliberately mislead users and make them believe that the malicious file is safe to be opened.

Besides the obfuscation of the malicious file itself, the phishing message and composition of it can be sophisticated and hardly distinguishable from the real one. For example, the “From” email can often be faked and visually match a legitimate one, making victims automatically trust the email they have been sent.

Removable drives

Cometer can also transfer itself via removable drives, such as USB flash drives and memory sticks. If you are using external drives at your work or home computer and vice versa, keep in mind that malware might sneak into such a device without any signs or symptoms.

In order to avoid the infection, it is mandatory to be aware of the potential threat – users should never recklessly open suspicious emails (even if they look legit from the first glance), use untrustworthy removable drives, and always ensure to keep all the installed software patched with the latest security updates to mitigate vulnerabilities^[3] on the third-party and built-in programs.

Malware operation and mitigation techniques

Once it finds its way onto the target network, Cometer downloads a configuration file that allows it to stay hidden while being distributed throughout the environment. The malware is programmed to immediately start communicating with its C&C server(s) after the infection has been completed. Its primary objective is to harvest network configuration data and obtain a list of available drives.

Its next mission is to determine which drive contains the most valuable information, steal its content, send it back to the server, and delete it from the remote server in encrypted form, and then erase all traces of its presence on the system.

This complex process reveals that the creators behind Trojan.Win32.Cometer.gen have been focusing on stealth, speed, and reliability. In other words, the malware is specifically designed to avoid detection while targeting valuable data quickly and efficiently.

Since this trojan’s primary mission is data exfiltration, it can also be used for industrial or governmental espionage. Users should always keep an eye on their system’s behavior and stability to catch any signs of infections in time.

If the machine starts acting strangely or if it is unresponsive, users are advised to run a full system scan with a reputable anti-malware tool as soon as possible. Our recommendation is SpyHunter 5Combo Cleaner, although other reputable security software can be employed for the job as well. In order to be the most efficient, the scan should be performed in a Safe Mode environment. Here's how to access it:

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

1. Right-click on Start button and select Settings.
   
2. Scroll down to pick Update & Security.
3. On the left side of the window, pick Recovery.
4. Now scroll down to find Advanced Startup section.
5. Click Restart now.
6. Select Troubleshoot.
7. Go to Advanced options.
8. Select Startup Settings.
9. Click Restart.
10. Press 5 or click 5) Enable Safe Mode with Networking.

As soon as Safe Mode is reached, employ security software to perform a full system scan. Keep in mind that a compromised machine or a network might also be affected by other malware – we previously saw collaborations of well-known threats (for example, Djvu ransomware and AZORult).

Post-infection actions

Since the Trojan is programmed to remain invisible while residing in memory, antivirus suites or users notice the infection only after the fact. This can be particularly dangerous, so it is important to use all the possible prevention techniques to stay safe.

It is important to note that Cometer performs changes within the Windows registry, so it is important to fix it after the infection is terminated. In order to ensure that this issue is addressed and virus damage is remediated, we strongly recommend using a PC repair tool:

• Download FortectIntego installer
• Click on ReimageRepair.exe
  
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
• The analysis of your machine will begin immediately
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

After the technical side of the infection is dealt with, it is imperative to prevent further cybercriminal actions that can follow after a successful data harvest is committed. Changing all passwords for all user accounts and logins to networks/RDPs is necessary for extra security. Besides, reporting the attack to local authorities would be beneficial in order to help the law track and find the culprits responsible. You can find the contact information of various law enforcement agencies around the world below.