Data stealing trojan found in the wild (August 14, 2015)
The Dell SonicWall Threats Research team has received reports of a Trojan which leaves no trace behind and steals information from the infected system which is spreading in the wild.
Infection Cycle:
The Trojan uses the following mutex:
- SHIMLIB_LOG_MUTEX
Upon looking at the properties, the trojan is described as an application in Chinese, named Aspirate.
Upon execution, the Trojan creates a copy of itself in the following location:
- %Application Data%sample.exe [Detected as GAV: Crowti.A_86 (Trojan)]
It creates a autostart object at:
- C:Documents and SettingsAdminStart MenuProgramsStartupsample.exe
In order to start after reboot the malware creates the following registry key:
- %%USER%softwaremicrosoftwindowscurrentversionrun[sample.exe][Detected as GAV: Crowti.A_86 (Trojan)]
To make removal even more difficult, it disables the System Restore:
- HKLMsoftwaremicrosoftwindows ntcurrentversionsystemrestore[disablesr]
The trojan executes these commands:
- C:Windowssystem32svchost.exe -k netsvcs
- C:Windowssystem32vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
- bcdedit /set {default} recoveryenabled No
- bcdedit /set {default} bootstatuspolicy ignoreallfailures
It creates a file and tries to steal information at:
- %Admin%CookiesUIJNQI9V.txt
It tries to connect to the following domains:
- ip-address.es
- ii-tavi.net
- japaneselink.net
- everestmarketinggroup.com
- www.e-m-g.covoutevirtuelle.com
- skprints.com
- kmreich.com
- imanaging.info
- karateserbia.org
- closed.loopia.rs
- easbrain.com
- pinoyjokes.org
- bettercatch.com
It does the following request multiple times to the C&C servers. Once it receives the reply, it sends encrypted information to the servers.
Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:
- GAV: Crowti.A_86(Trojan)