CrashReporter is a backdoor believed to have been created by the Lazarus Group advanced persistent threat or based heavily on their other tools.
It is delivered through the JMT Trader cryptocurrency trading client, which is itself available to download through a number of GitHub repositories.
This application appears to be identical to the legitimate QT Bitcoin Trader platform, suggesting CrashReporter’s operators have cloned it’s repository for their own uses. During installation, JMT Trader’s installer will extract CrashReporter and save it to the %AppData% folder, before creating the schedule task JMTCrashReporter to execute it whenever a user logs into the affected system.
Once installed, CrashReporter will connect to a command and control server to download any intended payloads, which are then installed on the affected system.
According to reverse engineer and researcher Vitali Kremez, when the CrashReporter.exe executable is launched, it wil connect back to a Command & Control server at beastgoc[.]com to receive commands.
You can read more about this here.
Indicators of Compromise
MD5 File Hashes
SHA1 File Hashes
SHA256 File Hashes
Command and Control Server
UK based technology professional, with an interest in computer security and telecoms.