Oficla Trojan spam campaigns (July 9, 2010)
SonicWALL UTM Research team observed multiple spam campaigns in last 3 days involving Oficla Trojan. SonicWALL has received more than 10,000 e-mail copies from these spam campaigns till now. The e-mail messages contains a zip archived attachment which has the new variant of Oficla Trojan executable.
E-mail format from these spam campaigns are shown below:
Campaign #1 – Changelog document spam
Attachment: Changelog_05_07_2010.zip (contains Changelog_05_07_2010.DOC.exe)
Subject: Your log 06.07.2010
Email Body:
————————
Good afternoon,
as promised your changelog is attached,
Sandy
————————
The email message looks like:
Campaign #2 – Fees document spam
Attachment: Fees_2010.zip (contains Fees_2010.DOC.exe)
Subject: Your fees 2010
Email Body:
————————
Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.
Kind regards.
Gina Martinez
————————
The email message looks like:
The executable files inside the attachment has an icon disguised as a Microsoft Word document file:
If the user opens the malicious attachment then it performs following activities on the victim machine:
- Connects to a predetermined C&C server and sends system information. The server responds back with command to download & run malware executable and also contains backup URLs for the C&C server.
- Drops following malicious executable files some of which gets downloaded from URLs received via C&C server:
- (Temp)10.tmp – Detected as GAV: Bredolab.PCK (Trojan)
- (Temp)14.tmp – Detected as GAV: Bredolab.PCK_2 (Trojan)
- (Temp)15.tmp – Detected as GAV: Bredolab.PCK_2 (Trojan)
- (Temp)F.tmp – Detected as GAV: Oficla_8 (Trojan)
- (System)thxr.wgo – Detected as GAV: Oficla_8 (Trojan)
- Injects F.tmp into svchost.exe process.
- Deletes the original copy of the file that was opened by the user.
- Modifies following registry entry to ensure thnxr.wgo gets injected on every system restart:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe rundll32.exe thxr.wgo nwfdtx”
- Creates following registry entry to store the backup C&C server URLs in hexadecimal format:
- HKLMSOFTWAREClassesididurl1: (URL in hexadecimal format)
- HKLMSOFTWAREClassesididurl2: (URL in hexadecimal format)
- HKLMSOFTWAREClassesididurl3: (URL in hexadecimal format)
SonicWALL Gateway AntiVirus provides protection against this Oficla Trojan variant by GAV: Oficla.GW_2 (Trojan) signature.