MoonWind is a trojan first identified after its use in a campaign against Thai organizations from September to November of 2016, compromising two legitimate Thai websites to host the malware. MoonWind was created using BlackMoon, a Chinese compiler. When it first runs, it copies itself using the filename "svcohos.exe" to one of the following locations: 

  • C:\Documents and Settings\All Users\Ufyaginptxb\
  • C:\Users\All Users\
  • C:\PorgramData\
  • C:\Program Files\Common Files\

It then executes a new instance of itself in a process and removes the old file. During the install routine, MoonWind sets up a timer that will execute a "sevrsvos.exe" file that installs itself as a runtime persistence mechanism and verifies if the "svcohos.exe" process is running. After installation, the trojan writes keystrokes and window information to a filename in the present working directory. It then proceeds to collect the victim's hostname, username, Windows version, IP address, current time, RAM amount, number of total drives, number of removable drives, and unique victim identifier. Once the information is aggregated, MoonWind enters its command and control loop and reaches out to servers and ports specified in its configuration. It can respond to 73 unique commands including executing arbitrary code, killing processes, gathering basic system information, keylogging, and installing additional malware.

Technical Details

Palo Alto Networks provides technical details on the MoonWind trojan, available here.