Trojan Saefko compiles a victim’s profile and can spread via USB devices

Saefko trojan steals credentials
Written by Brendan Smith

Zscaler analysts noticed that on the darknet started sales a new multifunctional Saefko trojan, written in .NET, which steals bank details, credentials, as well as information about cryptocurrency wallets.

Having penetrated the system, the Trojan will unpack itself in AppData and will enter into autorun to preserve a constant presence in the system, loading every time the infected machine is restarted.

Saefko then carefully checks the internet connection and extracts information from the Google Chrome browser to make a list of data suitable for theft.

Additionally, malware has a long and specific list of what it is desirable to learn about the victim and whatto transfer to the management server. Saefko is interested in data stored in Chrome, especially about visits to financial sites, social media, information about cryptocurrencies, games and much more.

Read also: Vulnerabilities in more than 40 drivers affect all PCs running Windows 10

For example, the trojan will check the logs for many sites, including PayPal, Amazon, Bitpay, Mastercard, Steam, Twitch, GameStop, Microsoft, YouTube, Capital, Bitstamp, Facebook, Instagram and Gmail Google.

Separately, the malware is interested in whether the victim uses large trading platforms (Boohoo, Superdry, Macy’s, Target and Alibaba), and whether the victim is of “commercial value” (LinkedIn, Financial Times,, Reuters and Zacks are checked for this).

“Malicious program compiles a very detailed user profile, evaluating account of bank card, possession of cryptocurrency, game activity, activity on Instagram, Facebook, YouTube, Google+ and Gmail, as well as purchasing activity and “business value”, – experts of Zscaler claim.

All the collected information is transmitted to the management server, and on its basis malware operators give Saefko a “green light” for the further development of the attack, activating four different modules: HTTPClinet, IRCHelper, KEYLogger and StartLocalServices (for distribution via USB).

As it’s easy to understand by the names of the modules, they are intended to collect additional data, intercept keystrokes, and also search for removable drives and network drives (the malware will be copied to any detected USB drives). Also, the Trojan can connect to the IRC server for various instructions (including downloading files, executing commands, opening URLs, sending system information, taking screenshots, receiving data about the system’s location or deleting itself).

Interestingly, at the end of their report, Zscaler experts noted that at one of the hacker forums they managed to find ads for a hacked version of Saefko RAT suitable for Windows and Android.

How to protect your system?

To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren’t from a trusted source. At the administrative level, it’s always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

Leave a Reply