Did it ever really go away? Nope. Some threats persist, continually evolving to bypass defenses and exploit new vulnerabilities. One such persistent menace is the Expiro malware—a sophisticated file infector that has been around for over a decade and continues to wreak havoc on Windows systems worldwide.

A Surge of Infections in Zimbabwe

This morning, we’ve observed a massive spike in Expiro infections originating from Zimbabwe. Since Friday, October 25th, there has been a 20% increase in detected requests, indicating a significant uptick in malicious activity. 

Understanding Expiro: The Stealthy File Infector

Expiro is not just any malware. It’s a file infector that embeds itself into executable files on both 32-bit and 64-bit Windows systems. By integrating its malicious code into legitimate files, Expiro makes detection and removal particularly challenging. Deleting infected files can lead to the loss of essential system components, complicating the cleanup process.

Damage Potential

•    Data Theft and Exfiltration: Expiro is adept at stealing sensitive information, including account credentials and financial data.
•    Espionage and Surveillance: It can monitor user activities, capturing keystrokes and screenshots.
•    Installation of Additional Malware: Expiro often serves as a gateway for other malicious software, compounding the threat.
•    System Manipulation and Control: It alters system settings, disables security features, and grants attackers remote access.
•    Further Propagation: Through network shares and removable drives, Expiro spreads rapidly within connected environments.

Expiro employs a variety of methods to infiltrate devices:

•    Malicious Websites: Both fake and compromised legitimate sites can host the malware.
•    Social Media Links: Shared images or links from compromised accounts may lead to infection.
•    Phishing Emails: Attachments or links in deceptive emails can execute the malware.
•    Unverified Downloads: Pirated software and unofficial updates often come bundled with Expiro.
•    USB Drives: Manual spreading via removable media remains a common tactic.

The Evolving Complexity of Expiro

What makes Expiro particularly dangerous is its continuous evolution. Recent variants have introduced significant changes to their infection routines:

•    Advanced Infection Techniques: Newer versions encrypt portions of the base relocation table within executable files, increasing detection difficulty.
•    Dynamic Code Manipulation: Expiro decrypts and repairs relocation tables on the fly, ensuring the original file runs correctly while keeping its malicious payload hidden.
•    Increased Analysis Complexity: Encryption and dynamic code manipulation require more sophisticated analysis and custom repair routines, hindering standard antivirus solutions.

Protecting Yourself Against Expiro

Given the persistent and evolving nature of Expiro, proactive protection is essential:

•    Stay Cautious Online: Be wary of unsolicited emails, social media messages, and unfamiliar websites.
•    Use Multi-Factor Authentication: Add an extra layer of security to your accounts.
•    Keep Software Updated: Ensure your antivirus and all software are up-to-date with the latest patches.
•    Implement a Firewall: Monitor incoming and outgoing network traffic for suspicious activity.
•    Download from Official Sources: Only obtain software and updates from trusted, official websites.

How ThreatSTOP Can Protect You

At ThreatSTOP, our Security, Intelligence, and Research team is dedicated to crafting proactive protections against threats like Expiro. Our solutions are designed to safeguard your environment by blocking malicious activities before they can cause harm.

Protective DNS

Utilize our Protective DNS service—available in the cloud or on-premises—to prevent connections to malicious domains associated with Expiro. By leveraging ThreatSTOP intelligence on your DNS servers, you can block malware communication at the network level.

•    Real-Time Threat Intelligence: Our continuously updated threat feeds ensure you’re protected against the latest malicious domains.
•    Customizable Policies: Tailor your DNS policies to fit your organization’s specific needs and risk tolerance.
IP Defense

Our IP Defense solution allows you to manage blocklists on any IP-based system, such as routers, firewalls, IPS, or AWS WAF. By preventing Expiro from communicating with command and control servers or propagating through your network, you can effectively neutralize the threat.

•    Automated Updates: Keep your network devices updated with the latest threat intelligence without manual intervention.
•    Wide Compatibility: Support for a broad range of network devices ensures seamless integration into your existing infrastructure.

Take Action Today

For those interested in joining the ThreatSTOP family or learning more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for businesses of all sizes! Get started with a demo today!

Connect with Customers, Disconnect from Risks

Indicators of Compromise

Associated Domains

Our ThreatSTOP Security, Intelligence, and Research team has identified a list of domains associated with this recent wave of infections.  While Expiro uses a Domain Generation Algorithm (DGA), this is what we are seeing:

•    acwjcqqv[.]biz
•    anpmnmxo[.]biz
•    bghjpy[.]biz
•    brsua[.]biz
•    bumxkqgxu[.]biz
•    cjvgcl[.]biz
•    ctdtgwag[.]biz
•    cvgrf[.]biz
•    cwyfknmwh[.]biz
•    damcprvgv[.]biz
•    dlynankz[.]biz
•    dwrqljrr[.]biz
•    esuzf[.]biz
•    eufxebus[.]biz
•    fgajqjyhr[.]biz
•    ftxlah[.]biz
•    fwiwk[.]biz
•    gcedd[.]biz
•    gjogvvpsf[.]biz
•    gnqgo[.]biz
•    gvijgjwkh[.]biz
•    gytujflc[.]biz
•    hehckyov[.]biz
•    htwqzczce[.]biz
•    ifsaia[.]biz
•    iuzpxe[.]biz
•    jdhhbs[.]biz
•    jhvzpcfg[.]biz
•    jpskm[.]biz
•    jwkoeoqns[.]biz
•    knjghuig[.]biz
•    lejtdj[.]biz
•    lpuegx[.]biz
•    lrxdmhrr[.]biz
•    mgmsclkyu[.]biz
•    mnjmhp[.]biz
•    muapr[.]biz
•    myups[.]biz
•    npukfztj[.]biz
•    nqwjmb[.]biz
•    ocsvqjg[.]biz
•    oflybfv[.]biz
•    opowhhece[.]biz
•    oshhkdluh[.]biz
•    przvgke[.]biz
•    pwlqfu[.]biz
•    pywolwnvd[.]biz
•    qaynky[.]biz
•    qpnczch[.]biz
•    reczwga[.]biz
•    rrqafepng[.]biz
•    rynmcq[.]biz
•    saytjshyf[.]biz
•    ssbzmoy[.]biz
•    sxmiywsfv[.]biz
•    tbjrpv[.]biz
•    tnevuluw[.]biz
•    typgfhb[.]biz
•    uaafd[.]biz
•    uevrpr[.]biz
•    uhxqin[.]biz
•    vcddkls[.]biz
•    vjaxhpbji[.]biz
•    vrrazpdh[.]biz
•    vyome[.]biz
•    warkcdu[.]biz
•    whjovd[.]biz
•    wllvnzb[.]biz
•    wxgzshna[.]biz
•    xccjj[.]biz
•    xlfhhhm[.]biz
•    yauexmxk[.]biz
•    yhqqc[.]biz
•    yunalwv[.]biz
•    ywffr[.]biz
•    zjbpaao[.]biz
•    zlenh[.]biz
•    znwbniskf[.]biz
•    zyiexezl[.]biz

If you notice any communication with these domains within your network traffic, it’s a strong indicator of a potential Expiro infection.