Soraya Infostealer bot with Point-Of-Sale support (June 5, 2014)

The Dell Sonicwall Threats Research team observed reports of a new Infostealer bot family named Soraya actively spreading in the wild. This is the first instance of an Infostealer bot family that features popular Banking Trojan Zeus like FormGrabbing functionality as well as Point-of-Sale Trojan Dexter like memory scrapping functionality. This makes the bot equipped to target both, the user systems and the Point-Of-Sale terminals, stealing sensitive user credentials and credit card information. We have already spotted some drive-by-download URLs actively serving this bot in the wild.

Infection Cycle:

The Trojan checks for the presence of the following file on the infected system:

c:myapp.exe

The Trojan adds the following file to the filesystem:

• %APPDATA%servhost.exe [Detected as GAV: Soraya.A_2 (Trojan)]

The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun WinServHost “%APPDATA%servhost.exe”

It then injects malicious code into multiple system processes and executes it using CreateRemoteThread. One of the injected malicious thread is responsible for handling the Command and Control communication with a predetermined remote server. It decrypts the embedded command and control related information in the memory, creates a Mutex, and registers the bot with the remote server.

The malware also installs following user-mode hooks on the infected system:

These hooks will ensure that:

• Any newly spawned processes from Explorer.exe also gets injected with the malicious code
• The malware executable stays hidden from the user
• Network activity is intercepted

This thread is responsible for the FormGrabbing functionality by injecting itself into any newly launched browser processes and installing browser-specific hooks for some of the popular browsers like Chrome, Internet Explorer, and FireFox.

One of the injected malicious code thread is responsible for scraping the memory of active non-system processes on the infected machine for credit card information periodically. The stolen information is then relayed back to the Command & Control server.

Command and Control communication

During our analysis we saw following communication between the infected machine and the C2 server:

Registering the infected machine [mode=1]

Checking the C2 server for pending commands [mode=2]

Reporting job completion status to C2 server [mode=3]

FormGrab module stolen data sent to C2 server [mode=4]

Memory scraping module stolen data sent to C2 server [mode=5]

Other C2 commands supported by Soraya bot that we saw during our analysis include:

• vweb
• vstealth
• down
• update

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Soraya.A (Trojan)
• GAV: Soraya.A_2 (Trojan)
• GAV: Soraya.A_3 (Trojan)
• IPS:3920 Soraya C&C Traffic 1

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.