New variant of Atros InfoStealer actively spreading in the wild. (Mar 24, 2017)


The Sonicwall Threats Research team observed reports of a new variant of Atros InfoStealer actively spreading in the wild.

Atros malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%Application Dataoougw.exe

  • %Userprofile%Local SettingsApplication DataGDIPFONTCACHEV1.DAT

  • %Userprofile%All UsersApplication Data[ Computer Name ][ Date ].jpg [ Computer Screen Shot ]

The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:

  • HKLMSoftwareMicrosoftWindowsCurrentVersionRuncd482369-09b5-4f6f-929d-87c40c6be1bc

    • “%Userprofile%Application Dataoougw.exe”

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware’s goal is to collect as much data as possible; attacker’s profit based on the level of user information that is collected. Thereby more information collected leads to higher profits.

The malware also performs key logging, takes screen shots, and steals clipboard data from target user.

The Malware installs key Logger on the target machine and extracts passwords from the following web browsers:

  • Chrome

  • Firefox

  • Internet Explorer

  • Opera

  • Safari

The Malware saves data into Browsers.txt file and transfers to its own C&C server.

Command and Control (C&C) Traffic

Atros performs C&C communication over 80 port.

The malware sends your Computer information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Downloader.A_986 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.