Security News

Trojan uses an old compression format to thwart detection (Sep 19, 2014)

By

The Dell SonicWALL Threats Research team has received reports of a Trojan posing as a fake word document. This Trojan may arrive in the form of an email with a seemingly harmeless compressed file as an attachment. This attachment comes in ARJ file format, which was a popular compression format back in the 90’s, and uses .arj as the file extension. By using a really old compression format, this malicious program can thwart security programs attempting to scan, block or unpack it.

Figure 1: Sample email with the malicious attachment

Infection Cycle:

The Trojan uses the following naming conventions with a .scr or .exe file extension:

  • statmnt_yyyy-mm-dd_*random digits*.scr
  • infraction_yyyy-mm-dd_*random digits*.exe
  • order_yyyy-mm-dd_*random digits*.scr
  • runout_yyyy-mm-dd_*random digits*.scr
  • termnate_yyyy-mm-dd_*random digits*.exe
  • sale_yyyy-mm-dd_*random digits*.exe

Once executed it drops the following files:

  • “%TEMP%/sale__*random digits*.rtf (a harmless document file)

It then displays the contents of this document by executing the following commands:

  • PROGRAM FILESMICROSOFTOFFICE11WORDVIEW.EXE [“PROGRA~1MICROS~2OFFICE11WORDVIEW.EXE” /n /dde]

Figure 2: Example contents of the harmless word document

To verify internet connectivity, the Trojan performs the following DNS queries:

Figure 3: DNS query to microsoft.com

The Trojan then establishes a connection to different remote servers and sends out encrypted data:

Figure 4: Trojan connects to remote server sazlar.de
Trojan connects to remote servers: sazlar.de, telasramacrisna.br and powerc214.galaxy-gmbh-service.de

Figure 5: Example of encrypted data sent

Based on the following strings found in the main binary file, this Trojan is capable of downloading additional malware to the victim’s machine:

Figure 6: Hardcoded strings found in the main executable
Trojan tries to download mine.tar.gz from: sazlar.de, telasramacrisna.br, pinballpassion.fr and necaps.org

These additional malware components were found to be variants of Zbot and are detected as:

  • Mine.exe [Detected as GAV: Zbot.AAD (Trojan)]

And in a true Zbot fashion, this new malware component was found to post encrypted data and send DNS queries to randomized domain names:

Figure 7: ZBot generated DNS queries to random domains

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Sinowal.CF (Trojan)

  • GAV: Sinowal.CF_2 (Trojan)

  • GAV: Sinowal.CF_3 (Trojan)

  • GAV: Vikaslop.A (Trojan)

  • GAV: Vikaslop.A_2 (Trojan)

  • GAV: Zbot.AAD (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Threat actors are misusing Coronavirus scare to spread malicious executable
Cybersecurity News & Trends - 02-26-21
Oracle WebLogic insecure deserialization vulnerability actively being exploited in the wild
Microsoft Security Bulletin Coverage for April 2024
Microsoft Security Bulletin Coverage for April 2021
NewPosThings.C a 64-Bit variant of POS malware released in the wild.
NTP Daemon Vulnerabilities (Nov 19, 2015)
Cyber Security News & Trends – 12-07-18