Malicious trojan poses as JP Morgan Secure message (March 6, 2015)

The Dell SonicWall research team recently encountered a malicious spam e-mail pretending to be a secure message from JP Morgan. The attachment contained in the email tries to steal information form the victim’s machine and send it to the C&C server.

Infection Cycle

The spam email tries to lure consumers to open the attachment which looks legitimate:

The file attached to the email pretends to be a pdf file, with a filename that poses to be a secure document regarding the bank account. The real extension of the file is SCR. However, if a user attempts to view it, it will execute and infect their system.

The malware creates the following mutex on the system:

• IESQMMUTEX_0_208

The malware copies itself into a different process and performs malicious activity:

The malware does the following changes to the registry:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionmarker_gjru_fbegrihlgm: “TRUE”
HKLMSYSTEMControlSet001ServicesgoogleupdateType: 0x00000010
HKLMSYSTEMControlSet001ServicesgoogleupdateStart: 0x00000002
HKLMSYSTEMControlSet001ServicesgoogleupdateErrorControl: 0x00000001
HKLMSYSTEMControlSet001ServicesgoogleupdateImagePath: “C:WINDOWSiPllSutjaoudhRW.exe”
HKLMSYSTEMControlSet001ServicesgoogleupdateDisplayName: “Google Update Service”
HKLMSYSTEMControlSet001ServicesgoogleupdateObjectName: “LocalSystem”
HKLMSYSTEMControlSet001ServicesgoogleupdateSecuritySecurity: 01 00 14 80 90 00 00 00 9C 00
00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00
00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00
00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01
02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00
00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLMSYSTEMCurrentControlSetServicesgoogleupdateType: 0x00000010
HKLMSYSTEMCurrentControlSetServicesgoogleupdateStart: 0x00000002
HKLMSYSTEMCurrentControlSetServicesgoogleupdateErrorControl: 0x00000001
HKLMSYSTEMCurrentControlSetServicesgoogleupdateImagePath: “C:WINDOWSiPllSutjaoudhRW.exe”
HKLMSYSTEMCurrentControlSetServicesgoogleupdateDisplayName: “Google Update Service”
HKLMSYSTEMCurrentControlSetServicesgoogleupdateObjectName: “LocalSystem”
HKLMSYSTEMCurrentControlSetServicesgoogleupdateSecuritySecurity: 01 00 14 80 90 00 00 00 9C 00 00
00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00
00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00
18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00
00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00
01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyEnable: 0x00000000
HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsSavedLegacySettings: 3C 00 00 00 01
00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsDefaultConnectionSettings: 3C 00 00 00
01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 30 2E BE 8F 83 58 D0 01 01 00 00 00 C0 A8 06 80 00 00 00 00 00 00 00 00
HKUS-1-5-21-790525478-746137067-839522115-500SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
{75048700-EF1F-11D0-9888-006097DEACF9}CountHRZR_EHACNGU:P:Qbphzragf naq FrggvatfNqzvavfgengbeQrfxgbcWC Zbetna Npprff
– Frpher.fpe: 02 00 00 00 06 00 00 00 30 29 E2 5C 83 58 D0 01
HKUS-1-5-21-790525478-746137067-839522115-500SoftwareMicrosoftWindowsShellNoRoamMUICache
C:Documents and SettingsAdministratorDesktopJP Morgan Access – Secure.scr: “JP Morgan Access – Secure”

Command and Control (C&C) Traffic
The malware makes its initial post request to dyndns domain.

The malware sends requests to certain domains on a regular basis. These requests seem to be a regular pdf file which is used by the malware to encrypt and decrypt the communication.

Overall the motive of this Trojan is to steal the information from the victim’s system and send it to the C&C server.We urge our users to always be vigilant and cautious with any unsolicited email specially if you are not certain of the source.

The Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Kryptik.D_12 (Trojan)
Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.