Wave of Zortob Backdoor Trojan discovered in the wild (Oct 18, 2013)
The Dell SonicWall Threats Research team have received reports of a recent wave of the Zortob Trojan in the wild. Trojans of this nature may have no particular objective upon infection but give an attacker a back-door into the infected systems through which any other malware can be installed. This Trojan is reported to arrive as an email attachment masquerading as a voicemail message.
Infection cycle:
The Trojan uses the following icon to pose as a voicemail message:
The Trojan adds the following files to the filesystem:
- %APPDATA%kqljentg.exe [Detected as GAV: Zortob.B_47 (Trojan)]
- {run location}VoiceMail_Round_Rock_(512)4584934.txt
Once it is run it will delete itself and create VoiceMail_Round_Rock_(512)4584934.txt in the same location:
It will then open notepad.exe to display the text file:
The following IP addresses for C&C servers were discovered in the binary:
- 62.75.242.232
- 5.39.84.59
- 89.144.14.28
- 106.186.23.14
The following encrypted communication was observed between the Trojan and a remote C&C server:
During analysis we discovered the unencrypted form of the data sent above:
The response from the C&C server suggests that the Trojan remain idle. We also discovered various other commands in the Trojan binary:
idlruncrcremrdlredupd
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Zortob.B_47 (Trojan)
