This week, the Sonicwall Capture Labs threat research team analyzed a full-featured infostealer and remote access trojan that also has ransomware functionality built in. This trojan is capable of terminating applications, logging keystrokes, opening web pages, connecting to a remote host, executing DDoS attacks and encrypting the victim’s data.
The malware arrives as a portable executable using the following file name and icon:
Figure 1: Filename and icon used by the trojan
Upon execution, it creates a copy of itself in the temp directory named csrss.exe. It then spawns the legitimate Windows Task Scheduler and runs an schtasks command to ensure that this copy runs itself periodically.
Figure 2: Scheduled task added
It also adds a run key in the HKU hive:
- HKU\Software\Microsoft\Windows\CurrentVersion\Run csrss %temp%\csrss.exe
During runtime, it intermittently connects to a remote host.
Figure 3: Malware seen connecting to a remote host
It also creates a log file in the user’s temp directory, which appears to be keystrokes of websites visited and processes executed.
Figure 4: Log file with all the keystrokes logged during runtime
Upon further analysis, this trojan appears to be capable of encrypting files using AES encryption using the RijndaelManaged class.
Figure 5: AES encryption function inside this trojan
It also has the ability to open and close arbitrary web pages, shutdown, logoff, or restart the machine, run PowerShell commands, and start a DDoS attack.
Figure 6: All the other malicious functionalities available within this trojan
This trojan also has the ability to capture screenshots of the victim’s machine.
Figure 7: Screen capturing functionality within the trojan
SonicWall Capture Labs provides protection against this threat via the following signature:
• GAV: Malagent.XCL(Trojan)
This threat is also detected by SonicWall Capture ATP with RTDMI and Capture Client endpoint solutions.