Beyond “Seven Layers”: Local Network Protection from Global Threats

/0 Comments/in /by

Last week my colleague, John Gordineer posted a blog entitled “Seven layers of protection from hacked websites”. This blog goes further in examining how you can be protected from threats that can emerge from the other side of the globe.

If you have kids, you often find out that a virus is running through the school when your child comes home with it. The internet is a lot like the school playground; it’s a notorious place for catching nasty viruses. Just like on the playground, the most common pathway for distributing malware is through the internet. As with playground viruses, you can’t predict what virus strain your network will get. One of the ways cyber-criminals avoid detection is to simply modify the existing code. Criminals can then leverage legitimate websites to test whether malware detection engines will recognize it. When the code is sufficiently modified, so that it’s no longer seen as malicious, voilà, you have new malware. Consequently, new threats are popping up around the world every hour, night and day.

Today, the sale of cyber-criminal tools is a thriving business with pricing models ranging from outright sales to time-based rentals. For example, an online banking malware called SpyEye could have been obtained (the creators were caught and prosecuted) for $150 which included three months of free hosting. Like other software it included updates, patches and technical support. Another cyber-criminal technique is the spread of botnets, which are a vast network of computers used to transmit malware to other computers on the internet. The botnet is manipulated by a command and control (C&C) server, which can send out thousands of emails linked to malicious software.

Global threats require global security solutions

With cyber-criminals continually upping their game, there are some specialized tools for reducing the chance of being compromised.

With GeoIP filtering, each packet of data contains an IP address identifying where it is coming from or going to. These IP addresses have been allocated to specific countries. For example, Tajikistan has less than 50,000 IP addresses and North Korea only 2,304. China on the other hand has 333 million and the US leads the list of addresses with over 1.6 billion IP addresses. (“Allocation of IP Addresses by Country.” CIPB –. 1 Apr. 2015. Web. 1 Apr. 2015.) Blocking IP addresses from countries you don’t do business with limits the ability of botnets to infect your network. In case your network is already compromised, it is good practice to block traffic leaving your network.

Here are some important GeoIP defense strategies:

  1. Filter all incoming and outgoing communication to a particular country or region.
  2. Make sure your firewall provider is an organization that can identify threats globally.
  3. Hire an IT service provider who can react quickly to protect your network.

Global presence. It is an old adage that you can see further when you stand on the shoulders of giants. As far as malware protection is concerned these giants can be defined by the number of sensors a security organization deploys. With the intricately connected world that the internet brings us, malware that originates in Thailand takes only a couple of clicks to find its way onto your desktop. The best defense is to employ an IT security company that has both in-house security research and is a recognized leader in the industry. It is their in-house resources that allow the best security companies to identify malware early and protect your assets before it spreads. These are organizations that can see further because they have millions of sensors around the globe.

Rapid reaction. Seeing further is only half of the equation; you also need to react faster. Cyber-criminals rely on slow response to steal from you. The security industry is addressing this issue. When Microsoft identifies a threat and communicates it to the security community, it also tracks how quickly the security organizations create protection from the threat. Microsoft’s Active Protections Program (MAPP) shows the partners who respond quickly. Is your firewall or antivirus provider on the fast responder list? How rapidly your security partner responds can give you an indication of their effectiveness in protecting you from emerging threats. The security of your business depends on sophisticated global protections that will help reduce your chance of being compromised. Geographic protection comes in two flavors, filtering out traffic by geography (GeoIP filtering) and having an IT service provider that operates globally and reacts immediately to emerging threats.

If you want to learn more you might start by reading SonicWall Security’s new eBook, “Types of Cyber-Attacks and How to Prevent Them”. Follow me on twitter @KentShuart.

Download eBook

PoSeidon: a new malware program targets point-of-sale systems

/in /by

The Dell Sonicwall Threats Research team observed reports of a POS bot family named GAV: Poseidon.AB actively spreading in the wild. Poseidon.AB malware typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.

Infection Cycle:

Md5: 5eeb39a0ba36a3f8d9789034dbba9455

The Trojan adds the following files to the system:

%SystemRoot%system32WinHost.exe [Detected as GAV: Poseidon.AB (Trojan)]]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinHost

Poseidon retrieves all processes lists; one of the injected malicious code threads is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware tries to Enumerate Credit Card Data from POS Software. To do this the attackers use API function calls such as:

CreateToolhelp32Snapshot

  • Process32First

  • Process32Next

  • OpenProcess

  • ReadProcessMemory

Here is an example of scraping the memory by malware:

The file WinHost.exe registered as services on win32 subsystem, after next restart the malware uses an injected Svchost.exe to scraping the memory and after some time it deletes its own executable file.

The Malware tries to verify Credit Cards Numbers using the Luhn algorithm and then encrypted and sent to one of the given C&C Servers such as following domains:

  • hxxps://linturefa.com/ldl01/viewtopic.php

  • hxxps://xablopefgr.com/ldl01/viewtopic.php

  • hxxps://tabidzuwek.com/ldl01/viewtopic.php

  • hxxps://linturefa.ru/ldl01/viewtopic.php

  • hxxps://xablopefgr.ru/ldl01/viewtopic.php

  • hxxps://tabidzuwek.ru/ldl01/viewtopic.php

  • hxxps://weksrubaz.ru/ldl01/viewtopic.php

  • hxxps://mifastubiv.ru/ldl01/viewtopic.php

  • hxxps://lacdileftre.ru/pes2/viewtopic.php

The malwares sends data with following format:

uid=%I64u&uinfo=%s&win=%d.%d&bits=%d&vers=%s&build=%s

Here is an example:

Command and Control (C&C) Traffic

Poseidon performs C&C communication over port 80. Requests are made on a regular basis to statically defined domains such as:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Poseidon.AB

Oracle Data Integrator Type Confusion Vulnerability (Mar 24, 2015)

/in /by

Oracle Data Integrator is a platform for maintaining the data consistency throughout the system. It provides the integration in situations like high-volume, high-performance batch loads, to event-driven, trickle-feed integration processes, to SOA-enabled data services.

Trillium Software System provides the third party software which is integrated in Oracle data Integrator. Oracle Data Integrator installs various ActiveX controls on target provided by Trillium Software System. An untrusted pointer dereference vulnerability exists in Oracle Data Integrator. The vulnerability is caused by a lack of validation on the value assigned to the parameter of the TSS12.LoaderWizard.lwctrl ActiveX control. Successful exploitation can lead to arbitrary code execution in the security context of the logged-in user. An unsuccessful attack may lead to abnormal termination of the browser.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

  • 10824 Oracle DataPreview Type Confusion

Data stealing Trojan leaves no trace behind (Mar 27, 2015)

/in /by

The Dell SonicWall Threats Research team has received reports of a data stealing Trojan that leaves no trace behind after infection. This Trojan appears to be distributed through compromised legitimate websites. Upon successful execution and transmission of stolen data, this Trojan deletes itself and leaves no files and signs of infection on the victim’s machine.

Infection Cycle:

Upon execution the Trojan creates a copy of itself in the following location:

  • %TEMP%winlog.exe [Detected as GAV: Kryptik.LOG (Trojan)]

The Trojan then makes a DNS query to the following domain:

  • nohostss.zapto.org

It then downloads an additional component.

Figure 1:Trojan downloading an encrypted file from pastebin.com

In order to start after reboot the malware makes a copy of itself in the following location:

  • %%USERPROFILE%Start MenuProgramsStartupb3d7ad373951cd040fb05f6d6f5bf314.exe [Detected as GAV: Kryptik.LOG (Trojan)]

This trojan is capable of logging keystrokes and running processes that are written out to a file.

  • %TEMP%winlog.exe.tmp (log file)

Figure 2:Sample of keystrokes logged

It then periodically sends out the information gathered to a remote server.

Figure 3:Trojan connecting to a remote host

Figure 4:Sample of data sent to a remote host which includes Computer name, Operating system and date

After a successful infection and data collection, the Trojan then deletes all copies of itself and all additional components from the victim’s machine and invokes a system shutdown.

Figure 5:Trojan shutting down the victim’s machine

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server. This type of malware execution is not commonly used as the infection will not be persistent. Although, it is a good technique to bypass antivirus detection. Cybercriminals can also use the information stolen to later deploy a more powerful persistent threat on the victim’s machine that will defeat its security defenses.

Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:

  • GAV: Kryptik.LOG (Trojan)

  • IPS SID:2092 Kryptik.LOG Activity

Microsoft to Phase Out Internet Explorer (Mar 20, 2015)

/in /by

This week Microsoft announced the plan to retire Internet Explorer. The replacement, code named “Spartan”, will ship with Windows 10. We would like to share Dell SonicWALL’s views form a security perspective.

Remember the days before Office 2007 was released, the Office proprietary file formats used to associate with many format-related vulnerabilities. Then Microsoft introduced new file formats called “Office Open XML” and Office 2007 was the first version that supports them. The new design of Office 2007 along with Office Open XML significantly brought down the number of vulnerabilities (related to Office file parsing) and we praise Microsoft for making this happen.

Over past few years a lot of “Internet Explorer Memory Corruption” vulnerabilities were discovered and patched. These vulnerabilities led to many exploits and Microsoft cannot get rid of them. If Microsoft really wants to address concerns with previous version of the browser they should build something from scratch (with security in mind) rather than just do some re-branding.

Like what Microsoft did to Office, we hope Microsoft makes the new browser as solid and integrated. Microsoft, please don’t let us down.

Upatre used for political spam campaign (Mar 19, 2015)

/in /by

The Dell Sonicwall Threat research team have observed a variant of the Upatre Trojan that is used for political spam. In this case the Trojan is used for an anti-drone campaign, urging victims to stand up to the U.S Government against the use of drones in war.

Infection Cycle:

The Trojan uses the following icon to masquerade as a harmless PDF file:

Once infected, the Trojan causes the following PDF file to be displayed on the users desktop:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTempNltgLr.exe [Detected as GAV: Upatre.YYSH (Trojan)]
  • %USERPROFILE%Local SettingsTempOIgjpLdRXtPDrik.exe [Detected as GAV: Battdil.O (Trojan)]
  • %USERPROFILE%Local SettingsTemptemp15.pdf
  • %USERPROFILE%Local SettingsTemptmpB0ED.txt (encrypted file)
  • %SYSTEM32%configsystemprofileApplication Datanr9bqe8cb6.dll (encrypted file)

The Trojan makes the following DNS queries:

      straphael.org.uk
      canabrake.com.mx
      stun.schlund.de
      docs233.com
      smtp.docs233.com

The Trojan obtains the external IP address of the infected system from DynDNS and reports the infection to a remote webserver. It uses the Mazilla/5.0 user agent string that is typical of malware from this family:

It leaks information about the currently logged in user and the version of Windows running:

The Trojan downloads the PDF file to be displayed in encrypted form:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Upatre.YYSH (Trojan)
  • GAV: Battdil.O (Trojan)

CryptoWall 3.0: Ransomware returns with I2P Network

/in /by

The Dell Sonicwall Threats Research team observed Cryptowall bot family named GAV: Cryptowall.K and Cryptowall.L actively spreading in the wild. This is the new Variant of Popular CryptoLocker Ransomware which is uses I2P (Invisible Internet Project) for C&C communications. I2P is an anonymity network that is similar to Tor network.

The Malware is the first CryptoWall variant that uses I2P anonymity networks to carry out communication between victims and attackers keeping it away from Security researchers and government enforcement officials.

Infection Cycle:

Md5: 6c3e6143ab699d6b78551d417c0a1a45, 47363b94cee907e2b8926c1be61150c7

The Malware adds the following files to the system:

  • C:2c4284242c428424.exe [Executable file]

  • %Appdata% 2c428424.exe [Executable file]

  • %Userdata% Start MenuProgramsStartup2c428424.exe [Executable file]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun2c42842

    • C:2c4284242c428424.exe

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun2c428424

    • C:Documents and SettingsAdministratorApplication Data2c428424.exe

The malware it has SeDebugPrivilege Enabled for Thread injection and uses Injected Svchost.exe to set %Appdata% value in the Windows Registry and after while terminates its own process.

Also disable system restore after while.

CryptoWall encrypts the victims files with a strong RSA 2048 encryption algorithm until the victim pays a fee to get them back. It demanded victims pay the equivalent of US$500 in Bitcoin virtual currency in order to receive the decryption key that allows them to recover their files.

After Malware encrypted all your personal documents and files its shows you following web page:

Command and Control (C&C) Traffic

CryptoWall has communication over I2P anonymity networks, Uses requests to I2P Domains are made on a regular basis. These requests such as the following:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cryptowall.K (Trojan)

  • GAV: Cryptowall.L (Trojan)

SonicWALL Application Control can prevent I2P tunnels on your network via the following signatures:

  • 5 Encrypted Key Exchange — Random Encryption (Skype,UltraSurf,Emule)
  • 7 Encrypted Key Exchange — UDP Random Encryption(UltraSurf)
  • 10817 I2P — HTTP Proxy Access 1 [Reqs SID 5 & 7]
  • 10817 I2P — HTTP Proxy Access 2 [Reqs SID 5 & 7]
  • 10817 I2P — HTTP Proxy Access 3 [Reqs SID 5 & 7]

Microsoft Security Bulletin Coverage (Mar 10, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of March, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-018 Cumulative Security Update for Internet Explorer (3032359)

  • CVE-2015-0032 VBScript Memory Corruption Vulnerability
    IPS: 10808 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 8”
  • CVE-2015-0072 Internet Explorer Elevation of Privilege Vulnerability
    IPS: 6288 “Internet Explorer Universal XSS 1”
  • CVE-2015-1627 Internet Explorer Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0056 Internet Explorer Memory Corruption Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-0099 Internet Explorer Memory Corruption Vulnerability
    IPS: 10800 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 1”
  • CVE-2015-0100 Internet Explorer Memory Corruption Vulnerability
    IPS: 10801 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 2”
  • CVE-2015-1622 Internet Explorer Memory Corruption Vulnerability
    IPS: 10802 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 3”
  • CVE-2015-1623 Internet Explorer Memory Corruption Vulnerability
    IPS: 10803 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 4”
  • CVE-2015-1624 Internet Explorer Memory Corruption Vulnerability
    IPS: 10805 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 5”
  • CVE-2015-1625 Internet Explorer Memory Corruption Vulnerability
    IPS: 10806 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 6”
  • CVE-2015-1626 Internet Explorer Memory Corruption Vulnerability
    IPS: 7645 “HTTP Client Shellcode Exploit 11c”
  • CVE-2015-1634 Internet Explorer Memory Corruption Vulnerability
    IPS: 10807 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 7”

MS15-019 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3040297)

  • CVE-2015-0032 VBScript Memory Corruption Vulnerability
    IPS: 10808 “Internet Explorer Memory Corruption Vulnerability(MS15-018) 8”

MS15-020 Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (3041836)

  • CVE-2015-0081 WTS Remote Code Execution Vulnerability
    ASPY: 4858 “Malformed-File RTF.MP.1_2”
  • CVE-2015-0096 DLL Planting Remote Code Exectution Vulnerability
    ASPY: 4863 “Malformed-File lnk.MP.1”

MS15-021 Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution (3032323)

  • CVE-2015-0074 Adobe Font Driver Denial of Service Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-0087 Adobe Font Driver Information Disclosure Vulnerability
    ASPY: 4861 “Malformed-File pfm.MP.1”
  • CVE-2015-0089 Adobe Font Driver Information Disclosure Vulnerability
    ASPY: 4862 “Malformed-File otf.MP.10”
  • CVE-2015-0088 Adobe Font Driver Remote Code Execution Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-0090 Adobe Font Driver Remote Code Execution Vulnerability
    ASPY: 4864 “Malformed-File pfb.MP.1”
  • CVE-2015-0091 Adobe Font Driver Remote Code Execution Vulnerability
    ASPY: 4864 “Malformed-File pfb.MP.1”
  • CVE-2015-0092 Adobe Font Driver Remote Code Execution Vulnerability
    ASPY: 4864 “Malformed-File pfb.MP.1”
  • CVE-2015-0093 Adobe Font Driver Remote Code Execution Vulnerability
    ASPY: 4864 “Malformed-File pfb.MP.1”

MS15-022 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3038999)

  • CVE-2015-0085 Microsoft Office Component Use After Free Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-0086 Microsoft Office Memory Corruption Vulnerability
    GAV: 27233 “Malformed.rtf.TL.5”
  • CVE-2015-0097 Microsoft Word Local Zone Remote Code Execution Vulnerability
    ASPY: 4859 “Malformed-File wps.MP.2”
  • CVE-2015-1633 Microsoft SharePoint XSS Vulnerability
    IPS: 2087 “Cross-Site Scripting (XSS) Attack 47”
  • CVE-2015-1636 Microsoft SharePoint XSS Vulnerability
    IPS: 2088 “Cross-Site Scripting (XSS) Attack 48”

MS15-023 Vulnerabilities in Kernel-Mode Driver Could Allow Elevation of Privilege (3034344)

  • CVE-2015-0077 Microsoft Windows Kernel Memory Disclosure Vulnerability
    ASPY: 4860 “Malformed-File exe.MP.9”
  • CVE-2015-0078 Win32k Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0094 Microsoft Windows Kernel Memory Disclosure Vulnerability
    ASPY: 4865 “Malformed-File exe.MP.10”
  • CVE-2015-0095 Microsoft Windows Kernel Memory Disclosure Vulnerability
    This is a local vulnerability.

MS15-024 Vulnerability in PNG Processing Could Allow Information Disclosure (3035132)

  • CVE-2015-0080 Malformed PNG Parsing Information Disclosure Vulnerability
    ASPY: 4855 “Malformed-File png.MP.2”

MS15-025 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (3038680)

  • CVE-2015-0073 Registry Virtualization Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-0075 Impersonation Level Check Elevation of Privilege Vulnerability
    There is no known exploit in the wild.

MS15-026 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3040856)

  • CVE-2015-1628 OWA Modified Canary Parameter Cross Site Scripting Vulnerability
    IPS: 10804 “Microsoft Exchange Server OWA XSS 3”
  • CVE-2015-1629 ExchangeDLP Cross Site Scripting Vulnerability
    This is a local vulnerability.
  • CVE-2015-1630 Audit Report Cross Site Scripting Vulnerability
    This is a local vulnerability.
  • CVE-2015-1631 Exchange Forged Meeting Request Spoofing Vulnerability
    There is no known exploit in the wild.
  • CVE-2015-1632 Exchange Error Message Cross Site Scripting Vulnerability
    IPS: 6391 “Cross-Site Scripting (XSS) Attack 46”

MS15-027 Vulnerability in NETLOGON Could Allow Spoofing (3002657)

  • CVE-2015-0005 NETLOGON Spoofing Vulnerability
    There is no known exploit in the wild.

MS15-028 Vulnerability in Windows Task Scheduler Could Allow Security Feature Bypass (3030377)

  • CVE-2015-0084 Task Scheduler Security Feature Bypass Vulnerability
    This is a local vulnerability.

MS15-029 Vulnerability in Windows Photo Decoder Component Could Allow Information Disclosure (3035126)

  • CVE-2015-0076 JPEG XR Parser Information Disclosure Vulnerability
    ASPY: 4856 “Malformed-File jxr.MP.1”

MS15-030 Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (3039976)

  • CVE-2015-0079 Remote Desktop Protocol (RDP) Denial of Service Vulnerability
    There is no known exploit in the wild.

MS15-031 Vulnerability in Schannel Could Allow Security Feature Bypass (3046049)

  • CVE-2015-1637 Schannel Security Feature Bypass Vulnerability
    IPS: 6366 “Client Hello with EXPORT Cipher Suites 1”
    IPS: 6412 “Client Hello with EXPORT Cipher Suites 2”
    IPS: 6428 “Server Hello with EXPORT Cipher Suite”

Parite.CBR a polymorphic virus which infects all portable EXE files

/in /by

The Dell Sonicwall Threats Research team observed reports of a Parite bot family named GAV: Parite.CBR actively spreading in the wild. This is the new Variant of Popular Parite which is a polymorphic file infecting virus that infects all portable EXE files found on local and shared network drives.

When Parite run on a system drops a dynamic link library (DLL) to the Windows Temp directory after that the malware injects the DLL into the Explorer.exe process and infects all Executable files on the target machine.

Infection Cycle:

Md5: 8d5d796b04a39a81c5bb1a012416b7f9

The Malware uses the following icons:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempdyg3AC.tmp

    • MD5= 685F1CBD4AF30A1D0C25F252D399A666

  • C:WINDOWSTemptvg3AD.tmp

    • MD5=685F1CBD4AF30A1D0C25F252D399A666

  • %Userprofile%Local SettingsTempHx3B.tmp

    • Md5=9E7370CC3D6A43942433F85D0E2BBDD8

  • %Userprofile%Local SettingsTemptmpD9.tmp

    • MD5=CABDA69821AA1D94A9B05C24224961A3

  • C:WINDOWSwigweu.exe [ Service ]

The Malware adds the following [Random name] keys to the Windows registry [As a Service] to ensure persistence upon reboot:

Malware uses an injected Explorer.exe infects all portable EXE files found on local and shared network drives and after some time it terminates and deletes its own process, here is an example of infected file:

Parite tries to Enumerate open SMB ports on LAN network, When an SMB service is identified, the malware attempts to log in with user names and passwords from a predefined list contains following list:

If the malware successfully guesses the remote access credentials of SMB system it installs a copy of malware to the target share network such as following files:

Command and Control (C&C) Traffic

Parite has the C&C communication over ports 80,445 and 8080. It sends requests to statically defined IP/Domains on a regular basis.

The malware sends a SMB Requests on LAN network to guesses the remote access credentials of target system, here is an example:

Parite uses Tor anonymity networks to carry out communication between victims and attackers keeping it away from Security researchers and government enforcement officials.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Parite.CBR ( Trojan )

Malicious trojan poses as JP Morgan Secure message (March 6, 2015)

/in /by

The Dell SonicWall research team recently encountered a malicious spam e-mail pretending to be a secure message from JP Morgan. The attachment contained in the email tries to steal information form the victim’s machine and send it to the C&C server.

Infection Cycle

The spam email tries to lure consumers to open the attachment which looks legitimate:


The file attached to the email pretends to be a pdf file, with a filename that poses to be a secure document regarding the bank account. The real extension of the file is SCR. However, if a user attempts to view it, it will execute and infect their system.

The malware creates the following mutex on the system:

  • IESQMMUTEX_0_208

The malware copies itself into a different process and performs malicious activity:

The malware does the following changes to the registry:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionmarker_gjru_fbegrihlgm: “TRUE”
HKLMSYSTEMControlSet001ServicesgoogleupdateType: 0x00000010
HKLMSYSTEMControlSet001ServicesgoogleupdateStart: 0x00000002
HKLMSYSTEMControlSet001ServicesgoogleupdateErrorControl: 0x00000001
HKLMSYSTEMControlSet001ServicesgoogleupdateImagePath: “C:WINDOWSiPllSutjaoudhRW.exe”
HKLMSYSTEMControlSet001ServicesgoogleupdateDisplayName: “Google Update Service”
HKLMSYSTEMControlSet001ServicesgoogleupdateObjectName: “LocalSystem”
HKLMSYSTEMControlSet001ServicesgoogleupdateSecuritySecurity: 01 00 14 80 90 00 00 00 9C 00
00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00
00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00
00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01
02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00
00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLMSYSTEMCurrentControlSetServicesgoogleupdateType: 0x00000010
HKLMSYSTEMCurrentControlSetServicesgoogleupdateStart: 0x00000002
HKLMSYSTEMCurrentControlSetServicesgoogleupdateErrorControl: 0x00000001
HKLMSYSTEMCurrentControlSetServicesgoogleupdateImagePath: “C:WINDOWSiPllSutjaoudhRW.exe”
HKLMSYSTEMCurrentControlSetServicesgoogleupdateDisplayName: “Google Update Service”
HKLMSYSTEMCurrentControlSetServicesgoogleupdateObjectName: “LocalSystem”
HKLMSYSTEMCurrentControlSetServicesgoogleupdateSecuritySecurity: 01 00 14 80 90 00 00 00 9C 00 00
00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00
00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00
18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00
00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00
01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyEnable: 0x00000000
HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsSavedLegacySettings: 3C 00 00 00 01
00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsDefaultConnectionSettings: 3C 00 00 00
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 30 2E BE 8F 83 58 D0 01 01 00 00 00 C0 A8 06 80 00 00 00 00 00 00 00 00
HKUS-1-5-21-790525478-746137067-839522115-500SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
{75048700-EF1F-11D0-9888-006097DEACF9}CountHRZR_EHACNGU:P:Qbphzragf naq FrggvatfNqzvavfgengbeQrfxgbcWC Zbetna Npprff
– Frpher.fpe: 02 00 00 00 06 00 00 00 30 29 E2 5C 83 58 D0 01
HKUS-1-5-21-790525478-746137067-839522115-500SoftwareMicrosoftWindowsShellNoRoamMUICache
C:Documents and SettingsAdministratorDesktopJP Morgan Access – Secure.scr: “JP Morgan Access – Secure”

Command and Control (C&C) Traffic
The malware makes its initial post request to dyndns domain.

The malware sends requests to certain domains on a regular basis. These requests seem to be a regular pdf file which is used by the malware to encrypt and decrypt the communication.

Overall the motive of this Trojan is to steal the information from the victim’s system and send it to the C&C server.We urge our users to always be vigilant and cautious with any unsolicited email specially if you are not certain of the source.

The Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Kryptik.D_12 (Trojan)