Security News

Hotel Reservation spam campaign leads to Trustezeb Trojan (Feb 17, 2012)

By

SonicWALL UTM Research team observed an increase in spam emails employing hotel reservation spam themes. The emails pretending to be from booking.com informs the recipient that their hotel reservation has been confirmed and that the reservation information is attached. The zipped attachment in the email is a variant of Trustezeb Trojan. This Trojan is specifically crafted to target Trusteer’s security products by attaching itself to run with the execution of some of Trusteer’s processes.

The spam campaign is shown below:

screenshot

It performs the following activities when executed:

  • It injects code in to svchost.exe

  • It creates the following files:
    • %windir%system32A37C0BC49C3B4DC6F27C.exe (Copy of itself) [Detected as GAV: Trustezeb.A_2 (Trojan)]
    • Program FilesTrusteerRapportbinRapportService.exe [Detected as GAV: FakeTruste.A (Trojan) (Trojan)]
    • %windir%RPService.exe [Detected as GAV: FakeTrusteer.A (Trojan) (Trojan)]

  • It modifies the following registry entry to ensure infection on reboot:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “%windirsystem32userinit.exe,%windir%System32A37C0BC49C3B4DC6F27C.exe,”

  • It creates to following registry entries to add itself as a debugger for Trusteer processes. This ensures it is executed in the execution sequence of these Trusteer products:
    • HKLMSOFTWAREClassesMyEze.1shellopencommand: “%SystemRoot%system32RPService.exe %0 %1 %2”
    • HKLMSOFTWAREClassesMyEze.1shelleditcommand: “%SystemRoot%system32RPService.exe %0 %1 %2”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportMgmtService.exe Debugger “RPService.exe”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportService.exe Debugger “RPService.exe”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup-Full.exe Debugger “RPXService.exe”
    • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup.exe Debugger “RPXService.exe”

  • The following commands were found during analysis
    • IMAGES
    • GEO
    • LOCK
    • UNLOCK
    • URLS
    • EXECUTE
    • KILL
    • UPGRADE
    • WAIT

  • It contacts a remote command and control server for further instructions:
    • {removed}/asdfasdgfs/Fiur5sDzx2col.php

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Trustezeb.A (Trojan)
  • GAV: Trustezeb.A_2 (Trojan)
  • GAV: FakeTruste.A (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
PowerShell script in a PDF launch action command dropping trojans
Cyber Security News & Trends – 06-21-19
Eclipse Bot emerges with DDOS capabilities (May 8, 2014)
An Android stealer with a multitude of spyware capabilities
Free game download links spread via Facebook come with free Infostealer
RDP Vulnerability CVE 2019 0708
Red October cyber-espionage malware uses MS Office exploits (Jan 18, 2013)
Microsoft Security Bulletin Coverage for October 2017