Rango Antivirus FakeAV makes a surge (Oct 31, 2014)
The Dell Sonicwall Threats Research team has observed a huge wave of spam that is spreading FakeAV software called Rango Antivirus 2014. FakeAV software was a big trend 2 years ago but had since died down following a rise of infostealer trojans and ransomware such as Cryptolocker. This FakeAV Trojan arrives as an email with an attachment masquerading as a court notice document.
Infection cycle:
The Trojan adds the following files to the filesystem:
- %APPDATA%ipcsxnep.exe [Detected as GAV: Zbot.CH_4 (Trojan)]
- %APPDATA%upoosook.exe [Detected as GAV: Inject.C_2 (Trojan)]
The Trojan adds the following keys to the Windows registry:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun rqvobwcf “%APPDATA%ipcsxnep.exe”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun xwpdlhad “%APPDATA%upoosook.exe”
The Trojan runs an instance of svchost.exe and injects malicious code into it. The malicious code causes it to download an encrypted copy of ipcsxnep.exe from a remote webserver:
The following strings where seen in the svchost memory space. Some of this system information is sent encrypted in the initial POST request:
The Trojan then sleeps for a variable period of time. We observed a period of around 10-15 minutes before FakeAV dialogs were shown. The following is a sample of the dialogs that are shown to the user:
As seen in the screenshots, the Trojan uses the usual FakeAV scare tactics to entice the user into paying for the software. The payment page shows 3 license packages:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Zbot.CH_3 (Trojan)
- GAV: Zbot.CH_4 (Trojan)
- GAV: Inject.C_2 (Trojan)
