Data stealing trojan posing as a PDF document (June 5, 2015)


The Dell SonicWall Threats Research team has received reports of a data stealing Trojan posing as a PDF document. Upon execution, the trojan downloads more malware onto the infected machine and also steals information from the system.

Infection Cycle:

The Trojan uses the following icon:

Figure 1: Trojan purports to be a PDF document

Upon looking at the properties, the trojan is described in Norwegian as “flash game KLP – pension, banking and insurance to municipalities, health authorities, businesses and their employees.”

Upon execution, Adobe throws the following error:

The Trojan creates a copy of itself in the following location:

  • %Application Data%sample.exe [Detected as GAV: Downloader.FAUT (Trojan)]

In order to start after reboot the malware makes a copy of itself in the following location:

  • %%USER%softwaremicrosoftwindowscurrentversionrun[b528c54d1cfbb1b9bc2e8ffca007591][Detected as GAV: Downloader.FAUT (Trojan)]

The trojan injects into the following processes:

  • C:WINDOWSexplorer.exe

It tries to connect to the following domains:


It periodically sends encrypted data to the remote C&C servers:

It downloads additional malware onto the victim’s machine, detected as GAV: Fiha.A_26 (Trojan)

The malware starts sending spams to the email addresses retrieved from its C&C server, here an example:

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server.We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source.

Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:

  • GAV:Downloader.FAUT (Trojan)
  • GAV:Fiha.A_26 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.