Hotel Reservation spam campaign leads to Trustezeb Trojan (Feb 17, 2012)
SonicWALL UTM Research team observed an increase in spam emails employing hotel reservation spam themes. The emails pretending to be from booking.com informs the recipient that their hotel reservation has been confirmed and that the reservation information is attached. The zipped attachment in the email is a variant of Trustezeb Trojan. This Trojan is specifically crafted to target Trusteer’s security products by attaching itself to run with the execution of some of Trusteer’s processes.
The spam campaign is shown below:
It performs the following activities when executed:
- It injects code in to svchost.exe
- It creates the following files:
- %windir%system32A37C0BC49C3B4DC6F27C.exe (Copy of itself) [Detected as GAV: Trustezeb.A_2 (Trojan)]
- Program FilesTrusteerRapportbinRapportService.exe [Detected as GAV: FakeTruste.A (Trojan) (Trojan)]
- %windir%RPService.exe [Detected as GAV: FakeTrusteer.A (Trojan) (Trojan)]
- It modifies the following registry entry to ensure infection on reboot:
- HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “%windirsystem32userinit.exe,%windir%System32A37C0BC49C3B4DC6F27C.exe,”
- It creates to following registry entries to add itself as a debugger for Trusteer processes. This ensures it is executed in the execution sequence of these Trusteer products:
- HKLMSOFTWAREClassesMyEze.1shellopencommand: “%SystemRoot%system32RPService.exe %0 %1 %2”
- HKLMSOFTWAREClassesMyEze.1shelleditcommand: “%SystemRoot%system32RPService.exe %0 %1 %2”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportMgmtService.exe Debugger “RPService.exe”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportService.exe Debugger “RPService.exe”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup-Full.exe Debugger “RPXService.exe”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup.exe Debugger “RPXService.exe”
- The following commands were found during analysis
- IMAGES
- GEO
- LOCK
- UNLOCK
- URLS
- EXECUTE
- KILL
- UPGRADE
- WAIT
- It contacts a remote command and control server for further instructions:
- {removed}/asdfasdgfs/Fiur5sDzx2col.php
SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:
- GAV: Trustezeb.A (Trojan)
- GAV: Trustezeb.A_2 (Trojan)
- GAV: FakeTruste.A (Trojan)