Malware claiming to be Heartbleed test tool (April 11, 2014)

The Dell SonicWALL Threats Research team came across a malicious executable that claims to be the recently discovered Heartbleed vulnerability test tool. The executable is a new variant of a Backdoor Trojan malware family Zacom. This is yet another example of how quickly Cybercriminals try to take advantage of a new popular topic to spread malware.

The Heartbleed vulnerability is a critical information disclosure bug in the TLS and DTLS implementations of OpenSSL that was discovered earlier this week. More information about the vulnerability and our analysis is available here.

Infection Cycle

The malware executable file looks like below:

The malware upon execution will generate a unique ID utilizing the infected ComputerName and UniqueID information as shown below:

It then registers the infection with a remote Command and Control server for which the IP address was found to be hardcoded in the malware. The command and control server responds back with a unique string starting with either su or sp followed by 9 digit numbers.

It further creates the following files on the system:

• %User Local Settings%Temphello032.txt [Temporary text file to check for write permission and bitness]
• %User Local Settings%Tempmsbridge.exe [Copy of itself detected as GAV: Zacom.A_2 (Trojan)]

It also creates a registry entry to ensure that the dropped malware executable runs on system reboot:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun Msbridge = %User Local Settings%Tempmsbridge.exe

The original malware process terminates after creating a new process to start the dropped executable with the following arguments:

%User Local Settings%Tempmsbridge.exe %PATH TO THE ORIGINAL EXECUTABLE FILE% 4194304

The new process will utilize the path argument to delete the original malware executable file.

It then attempts to communicate with the hardcoded command and control server IP, waiting for further commands. The following network activity indicators were observed during our analysis:

As seen above, the malware has support for downloading updates and additional malware as well as upload stolen information from the infected machine. The malware also uses a custom generic User Agent string for its communication. The command and control server is hosted in Hong Kong and appears to be active at the time of analysis.

Dell SonicWALL UTM appliance provides protection against this threat with the following signatures:

• GAV: Zacom.A (Trojan)
• GAV: Zacom.A_2 (Trojan)
• IPS:3686 Zacom heartbleed malware activity 1
• IPS:3688 Zacom heartbleed malware activity 2

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.