The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Venik.RKT actively spreading in the wild.
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Venik.RKT actively spreading in the wild. This time attacker attackers performs DLL Injection on Service Host or Svchost.exe to avoid detection by Anti-Virus programs. Svchost.exe is a system process that hosts multiple Windows services.
![](http://software.sonicwall.com/gav/Venik.RKT_files/image001.png)
Infection Cycle:
The Malware uses the following icon:
![](http://software.sonicwall.com/gav/Venik.RKT_files/image002.png)
Md5:
-
9ba2036234c6a043d1f55bb018be34ff
The Malware adds the following files to the system:
-
Malware.exe
-
C:WINDOWSsystem32ackypw.dll [Detected as GAV: Venik.RKT (Trojan)]
-
The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinjHrelpq32
-
%SystemRoot%System32svchost.exe -k krnlsrvc
-
-
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinjHrelpq32Parameters
-
C:WINDOWSsystem32ackypw.dll
-
Once the computer is compromised, the malware copies its own DLL file to System Root folder.
![](http://software.sonicwall.com/gav/Venik.RKT_files/image003.png)
The file ackypw.dll is dropped after malware launches on the target system, the malware uses a DLL Injection to Svchost.exe to avoid detection by Anti-Virus programs. Here is an example:
![](http://software.sonicwall.com/gav/Venik.RKT_files/image004.png)
The malware generates fake traffic towards Baidu Search Engine such as shown below:
![](http://software.sonicwall.com/gav/Venik.RKT_files/image005.png)
Command and Control (C&C) Traffic
Venik.RKT performs C&C communication over 8089 port. The malware sends your system information to its own C&C server via following format, here is an example:
![](http://software.sonicwall.com/gav/Venik.RKT_files/image006.png)
![](http://software.sonicwall.com/gav/Venik.RKT_files/image007.png)
![](http://software.sonicwall.com/gav/Venik.RKT_files/image008.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Venik.RKT (Trojan)