Heur.CFG A Malware Uses Encryption to Hide Its Intentions
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Heur.CFG actively spreading in the wild. This time attacker uses Self-Signed encryption for C&C data communication to avoid detection by Anti-Virus programs.
![](http://software.sonicwall.com/gav/Heur.CFG_files/image001.png)
Infection Cycle:
The Malware uses the following icon:
![](http://software.sonicwall.com/gav/Heur.CFG_files/image002.png)
Md5:
-
9F5DF82346249748F6C4A2E681BC33D3
The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
-
Armour =%Userprofile%Malware.exe
-
![](http://software.sonicwall.com/gav/Heur.CFG_files/image003.png)
Once the computer is compromised, the malware starts to communicate with its own domains via following format:
![](http://software.sonicwall.com/gav/Heur.CFG_files/image004.png)
The malware tries to communicate with its own C&C server such as following IPs:
![](http://software.sonicwall.com/gav/Heur.CFG_files/image005.png)
![](http://software.sonicwall.com/gav/Heur.CFG_files/image006.png)
The Malware uses Self-Signed encryption for C&C data communication to avoid detection by Anti-Virus programs, here is an example:
![](http://software.sonicwall.com/gav/Heur.CFG_files/image007.png)
The Malware tries to download some SWF Adobe Flash and executable files from following domains:
![](http://software.sonicwall.com/gav/Heur.CFG_files/image008.png)
Command and Control (C&C) Traffic
Heur.CFG performs C&C communication over 80, 3009 and 23466 ports. The malware sends your system information to its own C&C server via following format, here are some examples:
![](http://software.sonicwall.com/gav/Heur.CFG_files/image009.png)
![](http://software.sonicwall.com/gav/Heur.CFG_files/image010.png)
![](http://software.sonicwall.com/gav/Heur.CFG_files/image011.png)
![](http://software.sonicwall.com/gav/Heur.CFG_files/image012.png)
![](http://software.sonicwall.com/gav/Heur.CFG_files/image013.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Heur.CFG (Trojan)