Tepfer Infostealer Trojan being actively spammed (Nov 16, 2012)

Dell SonicWALL Threats Research team captured multiple spam campaigns serving newer variant of Tepfer Infostealer Trojan. The malware arrives in an e-mail attachment using themes shown below:

The malware executable inside the zip attachment uses Adobe PDF file icon and also uses official Microsoft Window’s application metadata to disguise itself as seen below:

Infection Cycle

The malware executable will perform following activities, if the user is tricked into opening the file:

• It looks for configuration files (.ini,.dat,.xml etc) of multiple applications to steal FTP and E-mail server information and user credentials:

  

• It contains a list of common passwords which is compressed inside the binary file using aPLib v1.01 compression library. The decompressed list is shown below:

  

• It attempts to connect to a list of predetermined servers to send the stolen information via HTTP request: /POST /forum/viewtopic.php:
  • 3.soundfactor.org
  • 3.ussana.net
• It further downloads and executes a new variant of P2P Zeus binary from multiple remote servers listed below. It appears to be exploiting the Pay-Per-Install scheme by downloading and installing multiple instances of same Zeus payload from different servers on the victim machine:
  • mjorart.com/{REMOVED}.exe
  • bestinsighttours.com/{REMOVED}.exe
  • rdquark.com/{REMOVED}.exe
  • quranaqiq.com/{REMOVED}.exe
  • westquimica.com/{REMOVED}.exe
  • superelectronico.com/{REMOVED}.exe
  • jagatoko.com/{REMOVED}.exe
  • muzikmeno.com/{REMOVED}.exe
  • eds-kurier.de/{REMOVED}.exe

  The downloaded Zeus payload is detected as GAV: Zbot.AAN_65 (Trojan).

• The Infostealer variants seen across different spam campaigns in last two weeks appears to be from the same author as seen by the project name extracted from the binary:

  

Dell SonicWALL Gateway AntiVirus has blocked close to 1 million instances of these spammed Infostealer variants in past one week. Below is the geographic distribution of this Infostealer spam campaign:

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

• GAV: Tepfer.BVXJ (Trojan)
• GAV: Tepfer.CAVW (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.