New Trojan attacking popular European Social Networking site (January 25, 2013)
Dell SonicWALL Threats Research team received reports of a new Trojan that has been targetting VK (originally VKontakte). VK is a reputed European social networking service which has features similar to Facebook and has been growing in popularity, it has around 195 milllion accounts with an average 43 million daily users as of December 2012. The Trojan checks if the victim is part of the VK network and starts uploading pictures on Vk.com on the victims behalf. Additionally the Trojan downloads files from Vk.com and stores them locally. The trojan comes equipped with capabilities to accept and execute commands from a remote Command and Control (C&C) server.
Infection Cycle:
Upon execution the Trojan adds the following files to the filesystem:
- %USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe – where ‘xxxxxxx’ is random 7 digits for every infection
This file is a copy of the original executable which is deleted upon execution. We observed the trojan adding an image in the following directory:
- %USERPROFILE%Local SettingsTemp%RandomCharacters%.jpg
The Trojan adds the following keys to the windows registry to enable startup after reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersonRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersonPoliciesExplorerRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersonRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersonPoliciesExplorerRun KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
The Trojan also adds the following keys to the windows registry:
- HKEY_CURRENT_USERSoftwareMicrosoftsystem32_Reg32Path KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe”
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftsystem32_Reg32Path KBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxx.exe
We observed the following sequence of communication with the C&C:
After the malware executed we observed that our vk.com account was now added to a group without our knowledge.
Soon enough our account was suspended because of suspected malicious activity.
A close observation of the above image reveals that the image being uploaded on our account is the same image that was saved locally as mentioned above. All the images stored on the C&C from images.txt file have the same theme, they try to promote vk-go.com as a service that can show who visits pages on our vk.com account. Such services try to lure users and obtain sensitive personal information.
Vk-go.com redirects the users to space2014.ru/spyvk/phone.php where it asks them to enter their VK nickname. It then claims to create a report containing a list of people who visited their account. Lastly it asks for the users phone number to provide further information.
We observed the malware download publicly available photos from vk.com belonging to the groups mentioned in the groups.txt file. This happens irrespective of whether the victim is part of vk.com or not.
The main purpose of this campaign is to upload images promoting vk-go.com services on users VK account, thereby trying to lure more and more people into using their services. In doing so users give out their personal information.
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
