Adobe Flash player installer packaged with Siromost Trojan (Feb 28, 2014)
The Dell SonicWall Threats Research Team has spotted a sample packed with a legitimate installer for Adobe Flash player (Version 10.0.12.36). Once this is executed, both the legitimate file and the malware are executed.
Since the downloaded malware arrives from the Flash player package, it is saved here:
- %AppData%Adobeplugin.exe [Detected as GAV: Siromost.A (Trojan)]
This malicious file is signed using an expired certificate:
Once it is executed, the malware creates the following mutex:
- Sessions1BaseNamedObjectsInternet Explorer Verifier
It injects code into the system processes:
- C:WindowsSystem32dwm.exe
C:Windowssystem32svchost.exe
The malware sends out an initial HTTP GET request over TCP port 80:
This looks to be an authentication request which doesn’t have any system information.
The second request is sent out with the system information along:
Once the relevant system information is sent out, a similar request is sent out with an additional parameter “list”. In response to this, the C&C server responded with a jpeg file.
Here is the downloaded jpeg image:
After a series of requests are exchanged, the malware sends out the encrypted stolen system information to the C&C server.
Overall the main motive of this malware is to steal system information. The malware also downloads more files to be executed on the system. We will continue to monitor this threat and provide updates on its capabilities.
Dell SonicWALL protects against this threat with the following signatures:
- GAV: Siromost.A (Trojan)
- GAV: Siromost.A_2 (Trojan)
