Bredolab Trojan spam campaign (July 16, 2010)

SonicWALL UTM Research team observed a wave of Resume spam campaign involving newer variant of Bredolab Trojan starting earlier this week. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable. The e-mail pretends to be arriving from a prospective job applicant and it looks like:

Attachment: resume_41170.zip (contains Myresume.exe)

Subject: Please look my CV, Thank you

Email Body:
————————
Hello!

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.
————————

A sample email message looks like:

The executable files inside the attachment has an icon disguised as a Microsoft Word document file:

If the user opens the malicious attachment then it performs following activities on the victims machine:

• It creates the following file
  • C:WINDOWSSystem32svrwsc.exe – Detected as GAV: Bredolab.ZX (Trojan)
• It injects itself into the following processes
  • C:WINDOWSsystem32csrss.exe
  • C:WINDOWSSystem32svchost.exe
• It attempts to access the following files and fails, possibly looking for a prior infection
  • (Application Data)MicrosoftOFFICETEMPdoc~1.dat
  • (Application Data)MicrosoftOFFICETEMPdoc~2.dat
• It connect to a predetermined malicious domain musiceng.ru and sends process information

  

• It creates following registry keys to ensure svrwsc.exe starts as service on every system restart under the name “Windows Security Center Service” :
  • HKLMSYSTEMCurrentControlSetServicesSvrWscType: 0x00000010
  • HKLMSYSTEMCurrentControlSetServicesSvrWscStart: 0x00000002
  • HKLMSYSTEMCurrentControlSetServicesSvrWscErrorControl: 0x00000000
  • HKLMSYSTEMCurrentControlSetServicesSvrWscImagePath: “C:WINDOWSSystem32svrwsc.exe”
  • HKLMSYSTEMCurrentControlSetServicesSvrWscDisplayName: “Windows Security Center Service”
  • HKLMSYSTEMCurrentControlSetServicesSvrWscObjectName: “LocalSystem”
  • HKLMSYSTEMCurrentControlSetServicesSvrWscDescription: “The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service.”

SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.ZX (Trojan) signature.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.