Security News

Hanove Backdoor Trojan (Oct 27, 2011)

By

SonicWALL UTM Research team discovered a new backdoor Trojan in the wild. This backdoor Trojan called Hanove opens a backdoor on the infected system allowing the attacker to send further commands to the compromised system. The Trojan was also observed to be capturing and uploading screenshots of the user’s desktop to a remote server at regular intervals.

It performs the following activities:

  • It ensures persistence of infection across reboots by creating the following startup script
      All UsersStart MenuProgramsStartupsyncdata.vbs
      screenshot

  • It captures screenshots of the user’s desktop at five second intervals and stores it to the following location
      Documents and Settings{user}Desktopshot.bmp
      screenshot

  • It renames the captured screenshot using the current timestamp with the following file format
      mm-dd-yy_HH-MM-SS.jpg

  • It decrypts obfuscated strings in memory to construct the remote URL it contacts. The decryption routine simply decrements the value of each character by one to get the decrypted string.
      screenshot

  • It uploads captured screenshot to a remote URL using the custom user agent string “MBVDFRESCT”
      screenshot

  • It receives the following response if the upload is successful
      screenshot

  • The remote server it connects to is hosted in Pennsylvania, United States and is active at the time of writing this alert

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Hanove.A (Trojan)
  • GAV: Hanove.A_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Beware of fraud apps leveraging Google Play Store for distribution
AndroidBot malware with obfuscation and multiple capabilities spreading in the wild
Microsoft Windows PrintNightmare zero-day vulnerability (CVE-2021-34527)
Drive by download leads to RAT Trojan (Nov 08,2012)
Microsoft Security Bulletin Coverage for December 2020
Oficla spam on the rise (April 8, 2011)
SonicWall RTDMI engine identifies malicious VBA macro laced MS Office Document in real-time (May 22, 2018)
SAP NetWeaver Vulnerabilities (Mar 1, 2013)