Also known as: TR/Atraps, Win32:Atraps-PZ[Trojan], Trojan.ATRAPS, Win32:Atraps-PZ, win32 Atraps-PF, Win32:Atraps-PF[Trj], TSPY_INFOSTEAL.AF
Variants: ATRAPS.Gen, ATRAPS.Gen2, TR/ATRAPS.Gen.A, TR/ATRAPS.Gen.B, TROJ_ATRAPS.[various letters], Troj/Atraps-D, Troj/Atraps-K, Troj/Atraps-H, Troj.Atraps.Gen!c, Trojan.TR/ATRAPS.Gen4
Damage potential: Stolen credentials, inclusion in the ZeroAccess botnet, device takeover, stolen crypto wallet funds, data theft, opening backdoors for other malware (like ransomware), showing malicious ads
Atraps is a dangerous family of trojans that target Windows devices. The primary function of Atraps trojans is to steal confidential information, periodically uploading the collected data to the attacker’s remote servers in secret. In many cases, they also serve a secondary function — to add the device to the ZeroAccess botnet.
Atraps often employs measures to hide its presence — for example, by marking the files it installs with the “hidden” property or storing them in the “temp” folder. Your antivirus software may alert you to an Atraps infection with a notification stating that “access to file containing the virus or unwanted program ‘TR/ATRAPS.Gen2’ was blocked.”
Other possible indicators of an Atraps infection include:
- Your device frequently freezes or stutters.
- Your device’s fan seems to be constantly on, even when the device is idle.
- Your device periodically sends data to unknown remote servers (Atraps is uploading victim information to its handlers or your device is engaged in the ZeroAccess botnet).
Sources of the infection
Atraps may infect your device from a number of sources, but the most common reported method of infection involves opening malicious DLL files in spam emails. These malicious DLL files with Atraps may also be bundled with freeware hosted on untrustworthy download sites — especially software used in piracy, like keygens. Once installed, Atraps may modify your registry to run its code after rebooting to prevent manual removal.
Your device may also get infected with Atraps from:
- Infected files shared through messaging platforms.
- Infected files downloaded from cloud storage or online repositories.
- Installing corrupted and malicious video codecs.
- Other viruses that drop Atraps as part of their operations.
Zero-day exploits targeting your device or network.
- Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
- Peer-to-peer (P2P) sharing of infected files.
- Infected external devices, such as hard drives or USB sticks.
Like with all trojans, protection against Atraps involves developing good cybersecurity habits. Learn to recognize phishing attempts, ignore spam emails, and avoid clicking on suspicious attachments. Do not download freeware from websites that you do not trust — and do your research (such as reading user reviews) beforehand to learn which sites can be trusted.
Other protective measures include:
- Use email scanning tools to identify and automatically block messages with suspicious attachments.
- Keep software up to date to prevent Atraps from exploiting any discovered vulnerabilities.
- Use reliable antivirus software to detect, quarantine, and eliminate an Atraps infection.
- Use multi-factor authentication to protect your accounts in the event that someone steals your password using Atraps.
- Avoid potentially dangerous websites, like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including Atraps) to your device by exploiting vulnerabilities.
Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by download attacks.
Most reputable antivirus solutions can help you detect and remove an Atraps infection from your device. You should not try to remove Atraps manually — the trojan may have modified your registry to run the malicious code again after you reboot your device.