Info stealer module leaks process information (Oct 16th, 2015)
The Dell Sonicwall Threats Research team have discovered an info stealer Trojan that is possibly as a module for part of a larger botnet crimeware system. The sample analysed here leaks information about the currently running processes on the system and contains functionality to capture desktop screenshots.
Infection cycle:
The Trojan uses the following icon to masquerade as a harmless PDF file:
The Trojan adds the following files to the filesystem:
- %WINDIR%ueubupb.hiv (encrypted file)
- %WINDIR%wyv.lta (encrypted file)
The Trojan periodically sends encrypted data to a remote webserver:
During analysis we were able to locate the routine used to encrypt the outgoing data:
It was discovered that the data being sent is a list of running processes on the system:
This Trojan is believed to be part of the Nymaim malware family.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: Nymaim.AY (Trojan)