Security News

Trojan Masquerading as a resume seen in the wild (Aug 15, 2014)

By

The Dell SonicWall Threats Research team has received reports of a Trojan masquerading as a resume. This Trojan may arrive in the form of email with a seemingly harmeless PDF attachment. It is even signed with a fake certificate claiming to be issued by Adobe Systems.

Figure 1: Trojan uses the PDF icon

Figure 2: Digital Signature

Infection Cycle:

Upon execution The Trojan creates these files in the following locations:

  • %USERPROFILE%Rar.exe (legitimate compression utility)
  • %USERPROFILE%temporary.rar

It then unpacks the contents of the temporary.rar archive by executing the following command:

  • “%USERSPROFILE%Rar.exe” e “%USERSPROFILE%temporary.rar” -pUjht6yTgrt63 “%USERSPROFILE%”

The archive contents are copied into the following locations:

  • %USERPROFILE%CertMgr.exe(legitimate Microsoft Certificate Manager tool)
  • %USERPROFILE%Sert.cer (a fake certificate)
  • %USERPROFILE%Resume.pdf (a non-malicious pdf file)

The Trojan then installs the fake certificate by executing the following command:

  • “%USERPROFILE%CertMgr.exe” -add -c “%USERPROFILE%sert.cer” -s -r localMachine root”

The Trojan then invokes Acrobat Reader to open the PDF file. It displays a poorly crafted resume written in the Russian language.

Figure 3:A decoy resume written in the Russian language

It then makes the following DNS queries to verify internet connectivity:

Figure 4: Trojan connects to legitimate websites

The Trojan also checked for the presence of the following registry keys to verify if the host is a virtual environment:

Figure 5: Trojan checking for virtual box related registry keys

It also employs the most common technique to thwart analysis using a debugger:

Figure 5: Trojan uses the IsDebuggerPresent function as an anti-debugger technique

During our analysis the Trojan attempted to download additional components.

Figure 5: The trojan downloading a poper.rar from ripola.net

It was also seen sending a simple text message “INSTALL” over TCP port 25.

Figure 5: The Trojan sending an email message to confirm installation

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Eratoma.A (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Buzus.GDEF - Mass-Mailing Worm (Feb 18, 2011)
Fake SpaceX Starbase Invite Excel document found distributing Dridex
New variants of Sage ransomware Spotted in the Wild. (Feb 17, 2017)
Unlock92 Ransomware V2.0 seen in the wild (Sep 9, 2016)
Financial spam campaigns on the rise (July 08, 2011)
Cybersecurity News & Trends - 05-22-20
Compromised Wordpress sites use Black-Hole Exploit for Drive-by Infection (Feb 3, 2012)
New Storm Variant (June 27, 2008)