Redosdru.V Malware that hides in encrypted DLL files to avoid detection by Firewalls (May 11,2016)
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Redosdru.V actively spreading in the wild. This time attackers used a dropper to download the original Malware that hides in encrypted DLL files to avoid detection by Firewalls.
Infection Cycle:
Md5:
-
807db66fd414f3eb5e74e10fc4309ae3
The Malware adds the following files to the system:
-
Malware.exe
-
C:Program FilesAppPatchNetsyst96.dll
-
C:Program FilesMicrosoft FduoodFduzjyw.exe
-
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
-
Wsejti gzuaqwud=C:Program FilesMicrosoft FduoodFduzjyw.exe
-
Once the computer is compromised, the malware copies its own files to AppPatch folder.
The Malware tries to download encrypted DLL file from its own C&C server from following domain:
Here is an example of encrypted DLL file:
Command and Control (C&C) Traffic
Redosdru.V performs communication over 9925 and 60321 ports. The malware sends your system information to its own C&C server via following format, here is an example:
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Redosdru.V (Trojan)
