Infostealer Trojan that tracks user activity (November 22, 2013)

The Dell SonicWall Threats Research Team received reports of an infostealer Trojan that aims at gathering information about the victim system and passes it to the attacker. Some of the information passed to the attacker includes the programs and shell commands being executed by the user when the Trojan is running.

Infection Cycle

We found the Trojan to be hosted on a legitimate website tala[removed].com/sem/xp.exe which is still active at the time of writing this blog. The Trojan gets downloaded from this link as xp.exe with WinRar icon:

It drops the following files on the system:

• %ProgramData%MicrosoftWindowsStart MenuProgramsStartupsystem.pif – Copy of itself
• %APPDATA%Roamingofficewinword.exe – Copy of itself

It creates the following Mutexes on the system to mark its presence:

• ***MUTEX***
• UACMutexxxxx
• _x_X_BLOCKMOUSE_X_x_
• _x_X_PASSWORDLIST_X_x_
• _x_X_UPDATE_X_x_

The Trojan adds the following key to the Windows registry to enable startup after reboot:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%APPDATA%Roamingofficewinword.exe”

It makes the following changes to the registry in order to bypass firewalls:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapProxyBypass=”1″
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapIntranetName=”1″
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapUNCAsIntranet=”1″

It drops the following additional files on the system:

• %APPDATA%LocalTempUuU.uUu – This contains the time at which the Trojan was executed
• %APPDATA%LocalTempXxX.xXx – This contains the time at which the Trojan was executed
• %APPDATA%LocalTempXX–XX–XX.txt – a 230kB temporary text file
• %APPDATA%LocalTempteste.vbs – This VB Script lists the Firewall and Antivirus Products present on the victim system and copies them onto a file teste.txt

We observed the Trojan communicating with data3.sytes.net on TCP port 9090 where it sends information about the activity performed by the user when the Trojan is executing. Some of the activities that were captured during our analysis were:

• Programs being opened
• Folders being opened
• Commands executed in Shell

Below is a screenshot of sample network traffic from this infostealer:

In addition, it performs the following:

• Stops the Windows firewall by executing net stop mpssvc

The main goal of this Trojan is to harvest information on the infected system and relay it to the attacker. During our analysis the information that was passed was limited to programs, commands and files opened by the user. The Trojan can be considered noisy as it performs a number of activities and does not try very hard to conceal its presence, the names of the Mutexes also indicate the non-stealthy nature of this Trojan.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Spatet.AA_2 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.