Info stealer module leaks process information (Oct 16th, 2015)

The Dell Sonicwall Threats Research team have discovered an info stealer Trojan that is possibly as a module for part of a larger botnet crimeware system. The sample analysed here leaks information about the currently running processes on the system and contains functionality to capture desktop screenshots.

Infection cycle:

The Trojan uses the following icon to masquerade as a harmless PDF file:

The Trojan adds the following files to the filesystem:

• %WINDIR%ueubupb.hiv (encrypted file)
• %WINDIR%wyv.lta (encrypted file)

The Trojan periodically sends encrypted data to a remote webserver:

During analysis we were able to locate the routine used to encrypt the outgoing data:

It was discovered that the data being sent is a list of running processes on the system:

This Trojan is believed to be part of the Nymaim malware family.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Nymaim.AY (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.