Infostealer Trojan with Remote Access and Ransomware Capabilities Seen in the Wild


This week, the Sonicwall Capture Labs threat research team analyzed a full-featured infostealer and remote access trojan that also has ransomware functionality built in. This trojan is capable of terminating applications, logging keystrokes, opening web pages, connecting to a remote host, executing DDoS attacks and encrypting the victim’s data.

Infection Cycle:

The malware arrives as a portable executable using the following file name and icon:

Figure 1: Filename and icon used by the trojan

Upon execution, it creates a copy of itself in the temp directory named csrss.exe. It then spawns the legitimate Windows Task Scheduler and runs an schtasks command to ensure that this copy runs itself periodically.

Figure 2: Scheduled task added

It also adds a run key in the HKU hive:

  • HKU\Software\Microsoft\Windows\CurrentVersion\Run csrss %temp%\csrss.exe

During runtime, it intermittently connects to a remote host.

Figure 3: Malware seen connecting to a remote host

It also creates a log file in the user’s temp directory, which appears to be keystrokes of websites visited and processes executed.

Figure 4: Log file with all the keystrokes logged during runtime

Upon further analysis, this trojan appears to be capable of encrypting files using AES encryption using the RijndaelManaged class.

Figure 5: AES encryption function inside this trojan

It also has the ability to open and close arbitrary web pages, shutdown, logoff, or restart the machine, run PowerShell commands, and start a DDoS attack.

Figure 6: All the other malicious functionalities available within this trojan

This trojan also has the ability to capture screenshots of the victim’s machine.

Figure 7: Screen capturing functionality within the trojan

SonicWall Protections:

SonicWall Capture Labs provides protection against this threat via the following signature:
GAV: Malagent.XCL(Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI and Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.