Drive by download leads to RAT Trojan (Nov 08,2012)


Dell SonicWALL Threats Research team discovered a RAT Trojan spreading through drive-by downloads from malicious links. The links were found hosting a malicious java applet under the guise of an online game. Once the applet is executed, it proceeds to download a Dark Comet RAT Trojan hosted on dropbox and executes it. Dark Comet is a remote administration tool but is often used for malicious purposes because of its Trojan like capabilities. In this instance, the RAT was used to capture the user’s keystrokes along with relevant window information and upload it to a remote server.

Infection Cycle

  • The drive by download kicks in once the malicious page is visited. The security warning is shown as result of the Java applet being signed by a self-signed DSA certificate.

  • If an unwary user decides to allow the applet to run, it silently downloads and executes the RAT in background

  • The RAT is hosted on dropbox and the link to it is passed as a parameter to the Java applet as show below

Once executed the RAT Trojan performs the following activities:

  • It creates copies of itself in:
    • %APPDATA%rundll32.exe [Detected by GAV: Fynloski.AA_5 (Trojan)]
    • %USERPROFILE%My DocumentsMSDCSCmsdcsc.exe [Detected by GAV: Fynloski.AA_5 (Trojan)]
  • It uses the following misleading icon:

  • It creates a startup entry to ensure infection on reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:MicroUpdate:”%USERPROFILE%My DocumentsMSDCSCmsdcsc.exe”
  • The RAT uses an encrypted configuration file. During our analysis we were able to obtain the decrypted version of the configuration file seen below. Some of key features used are explained:

  • It captures users keystrokes and stores it in:
    • %APPDATA%dclogs{YYYY-MM-DD-H}.dc
  • The keystrokes are captures along with the relevant window titles as shown below:

  • It uploads captured data to a remote server over Port 1336 or 1444

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV:Fynloski.AA_5 (Trojan)
  • GAV:JavaDL.CX (Exploit)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.