Trojan Masquerading as a resume seen in the wild (Aug 15, 2014)
The Dell SonicWall Threats Research team has received reports of a Trojan masquerading as a resume. This Trojan may arrive in the form of email with a seemingly harmeless PDF attachment. It is even signed with a fake certificate claiming to be issued by Adobe Systems.
Figure 1: Trojan uses the PDF icon
Figure 2: Digital Signature
Infection Cycle:
Upon execution The Trojan creates these files in the following locations:
- %USERPROFILE%Rar.exe (legitimate compression utility)
- %USERPROFILE%temporary.rar
It then unpacks the contents of the temporary.rar archive by executing the following command:
- “%USERSPROFILE%Rar.exe” e “%USERSPROFILE%temporary.rar” -pUjht6yTgrt63 “%USERSPROFILE%”
The archive contents are copied into the following locations:
- %USERPROFILE%CertMgr.exe(legitimate Microsoft Certificate Manager tool)
- %USERPROFILE%Sert.cer (a fake certificate)
- %USERPROFILE%Resume.pdf (a non-malicious pdf file)
The Trojan then installs the fake certificate by executing the following command:
- “%USERPROFILE%CertMgr.exe” -add -c “%USERPROFILE%sert.cer” -s -r localMachine root”
The Trojan then invokes Acrobat Reader to open the PDF file. It displays a poorly crafted resume written in the Russian language.
Figure 3:A decoy resume written in the Russian language
It then makes the following DNS queries to verify internet connectivity:
Figure 4: Trojan connects to legitimate websites
The Trojan also checked for the presence of the following registry keys to verify if the host is a virtual environment:
Figure 5: Trojan checking for virtual box related registry keys
It also employs the most common technique to thwart analysis using a debugger:
Figure 5: Trojan uses the IsDebuggerPresent function as an anti-debugger technique
During our analysis the Trojan attempted to download additional components.
Figure 5: The trojan downloading a poper.rar from ripola.net
It was also seen sending a simple text message “INSTALL” over TCP port 25.
Figure 5: The Trojan sending an email message to confirm installation
Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Eratoma.A (Trojan)