WhiskerSpy Malware Removal

by Brendan Smith
August 23, 2023

WhiskerSpy, a potent backdoor malware, spreads through compromised websites. It infiltrates systems by enticing visitors with codec installer downloads to rectify video errors.

Once installed, it executes PowerShell commands to establish remote access. Additionally, it exploits Chrome’s native messaging host for persistent deployment, enabling actions like file manipulation, code injection, and screenshot capture.

WhiskerSpy Overview

VirusTotal results screenshot

VirusTotal results

Name WhiskerSpy
Threat type Backdoor
Detection Trojan:Win32/Tiggre!rfn
Damage Stolen passwords and banking information, identity theft, the victim’s computer added to a botnet.

Technical Analysis

WhiskerSpy encompasses a diverse array of backdoor commands. It empowers assailants to engage with the compromised system, manipulate files, and initiate code execution. These encompass executing remote shells, facilitating file downloads or uploads, erasing files, generating file listings, capturing screenshots, loading and running executables, and implanting shellcode into active processes.

WhiskerSpy allows cybercriminals to wield arbitrary commands on the compromised system, granting them unrestricted access to its resources. This malware variant also enables the downloading of sensitive files from the compromised system, as well as the uploading of malevolent files onto it, potentially introducing additional malware strains.

Moreover, malicious actors can exploit WhiskerSpy to purge files from the compromised system, potentially erasing their digital traces or disrupting its functionality. Additionally, the malware supports the enumeration of files residing on the compromised system. It aids in identifying potential targets for extraction or manipulation. The Backdoor can also capture screenshots of the compromised system, providing visual insights.

Ultimately, WhiskerSpy is a conduit for executing supplementary code on the compromised system. As a result, it facilitates the potential installation of extra malware or backdoors. Furthermore, it can inject code into active processes, potentially enabling threat actors to execute added commands or access sensitive data with potential ramifications.

Spreading Methods

The infiltration process of WhiskerSpy has been established with certainty. This malware is propagated through a compromised website. The attacker injecting a malevolent script into the website’s code. This script orchestrates the presentation of a notification to visitors, urging them to initiate the download of a codec installer, ostensibly to address a video codec error encountered while attempting to view content on the site.

The codec installer, fashioned as an MSI executable, harbors a series of PowerShell commands. These commands are executed upon installation, culminating in deploying the WhiskerSpy backdoor. Furthermore, the cybercriminals employ a persistence tactic that exploits the native messaging host inherent to Google Chrome. Through this avenue, they introduce a noxious extension termed “Google Chrome Helper.” The foremost role of this extension is to ensure the payload’s execution each time the browser is launched, thereby solidifying the malware’s foothold.

Frequently Asked Questions (FAQ)

My computer is infected with WhiskerSpy malware, should I format my storage device to get rid of it?
Reformatting your storage device should only be considered as a last resort for removing WhiskerSpy malware. Prior to taking such drastic action, it is advisable to perform a comprehensive scan using trustworthy antivirus or
What are the biggest issues that malware can cause?
Malware poses a significant risk to the security and privacy of sensitive information, potentially leading to identity theft, financial loss, and unauthorized access to personal accounts. Furthermore, it can disrupt the normal operation of a system, causing performance issues, system crashes, and data corruption.
What is the purpose of WhiskerSpy?
The purpose of WhiskerSpy is to enable remote access and control of compromised devices. It allows threat actors to perform various malicious activities, such as unauthorized access, data theft, system manipulation, and disabling security measures, potentially causing significant harm to individuals and organizations.
Will Gridinsoft Anti-Malware protect me from malware?
Nevertheless, it is crucial to recognize that sophisticated malware can remain hidden deep within the system. Consequently, conducting a complete system scan is imperative to detect and eradicate malware.

About the author

Brendan Smith

Cybersecurity analyst covering malware families, suspicious files, and detection alerts. Brendan focuses on clear explanations of what a warning means, when it may be a false positive, and which cleanup steps are appropriate.

View all posts

Leave a Comment