Artemis.A, New InfoStealer in the Wild. (January 26, 2017)
The Sonicwall Threats Research team observed reports of a new InfoStealer family named GAV: Artemis.A_43 and actively spreading in the wild.
Artemis malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.
Infection Cycle:
The Malware adds the following files to the system:
-
%Userprofile%Local SettingsTempbWJgVKbnTS6wTt4QCOE6hTQ9fb1Sv1yGIXx.exe
-
Detected as GAV: Artemis.A_43 (Trojan)
-
-
%Userprofile%Local SettingsTempTrojan.exe
-
Detected as GAV: Artemis.A_43 (Trojan)
-
-
%Userprofile%Local SettingsTempTrojan.exe.tmp
-
Trojan.exe.tmp [Key logs data ]
-
The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:
-
HKCUSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2
-
“%Userprofile%Local SettingsTempTrojan.exe” ..
-
-
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2
-
“%Userprofile%Local SettingsTempTrojan.exe” ..
-
Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.
The malware goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.
The malware retrieves a list of running processes and websites visited by user and send it to its own C&C server by Bas64 format.
The Malware installs key Logger on the target machine and saves data into Trojan.exe.tmp file, here is an example:
The malware gathers data such as following examples:
-
COMPUTERNAME
-
USERNAME
-
Date
-
Windows version
Command and Control (C&C) Traffic
Artemis performs C&C communication over 1177 port.
The malware sends your Computer information to its own C&C server via following format, here is an example:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Artemis.A_43 (Trojan)
