Serbbu.RAC: A Malware opens Remote Access Service on target system.
The Dell Sonicwall Threats Research team observed reports of a Malware family named GAV: Serbbu.RAC actively spreading in the wild. This time attacker enables Remote Access Service feature to get Remote Access from target system after infection.
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image001.png)
Infection Cycle:
The Malware uses the following icon:
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image002.png)
Md5:
-
743b8278efc6da0c35c138ac74c37516
Once the computer is compromised, the malware starts to communicate with its own domain such as following example:
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image003.png)
The Malware tries to active your Guest user name on your Local Group domain so the attackers can easily getting access to your network later.
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image004.png)
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image005.png)
The Malware installs key Logger on the target machine and also extracts valuable information such as following examples:
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image006.png)
The Malware extracts phone numbers, Device type and CPU information from target system.
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image007.png)
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image008.png)
When the Malware collects that information its uses Self-Signed encryption for C&C data communication to avoid detection by Anti-Virus programs, here is an example:
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image009.png)
Command and Control (C&C) Traffic
Serbbu.RAC performs C&C communication over Port 7777. The malware sends your system information to its own C&C server via following format, here are some examples:
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image010.png)
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image011.png)
![](http://software.sonicwall.com/gav/Serbbu.RAC_files/image012.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Serbbu.RAC (Trojan)