Security News

Oficla Trojan Spam Campaign (October 1, 2010)

By

SonicWALL UTM Research team observed a Facebook spam campaign involving a newer variant of Oficla Trojan in the last 3 days. The spam emails arrive with a zip archived attachment which contains the Oficla Trojan executable. The e-mail is drafted to appear as a Facebook password reset notification.

Campaign #1

Attachment: FacebookPassword.zip
Subject: Facebook password has been changed! ID444

Email Body:
————————
How to Avoid Moving Scams
Mass. woman pleads guilty in glass-eating scheme
————————

Campaign #2

Attachmentc: FaceBook_Password_Nr2829.zip
Subject: Your New Facebook password

Email Body:
————————
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.
————————

Campaign #3

Attachmentc: FaceBook_Password_Nr27477.zip
Subject: Facebook Password Reset Confirmation!

Email Body:
————————
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.
————————

Sample email messages looks like:

screenshot

screenshot

screenshot

The executable files inside the attachment looks like this:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim’s machine:

  • Network Activity:
    • It connects to C&C server and receives commands

      • screenshot

    • It donwloads file from URL specified in command
    • It send process information to remote C&C server

      • screenshot

  • File Activity:

    It creates the following files

    • %temp%4.tmp – Detected as GAV: Oficla.AFZ (Trojan)
    • %temp%5.tmp – Detected as GAV: Scar.CUQT (Trojan)
    • %windirsystem32bfky.ojo – Detected as GAV: Oficla.AFZ (Trojan)
    • %windirsystem32svrwsc.exe – Detected as GAV: Scar.CUQT (Trojan)
  • Process Activity:
    • It injects itself into running svchost.exe process
  • Registry Activity:
    • It creates HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSvrWsc: %windirsystem32svrwsc.exe ensuring infection on system restart
    • It modifies HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon with new value “Explorer.exe rundll32.exe bfky.ojo bwapp” ensuring malicious dll is loaded on system restart

SonicWALL Gateway AntiVirus provides protection against this Oficla Trojan variant with GAV: Oficla.AHB (Trojan) signature. [517,120 hits recorded in last 3 days]

screenshot

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Protected Ransomware actively spreading in the wild.
Shade Ransomware (Oct 7th, 2016)
Cisco Smart Software Manager On-Prem Account Takeover
Bandok Keylogger Trojan (Oct 21, 2010)
LATEST REMCOS (Remote Control & Surveillance Software) V2.5.0 IS BEING USED BY MALWARE AUTHORS
Stiniter Android Trojan uses new techniques (Mar 28, 2012)
Resurrection ransomware plays audio from a horror movie
Remote Desktop Software (Aug 15, 2008)