SonicWALL UTM Research team observed reports of a new Qbot Infostealer Trojan variant being spammed in the wild via e-mail. The e-mail pretends to contain pictures of the sender and lures the user into opening them. The attachment is an executable file (pic.exe) and leads to compromise of confidential information.

The e-mail message looks like below:

Most e-mail clients with default security settings will block the attachment by default as it is an executable file. However, if the user manages to open the attached file then it will perform following activities:

• Steals confidential information from victim machine including E-mail account credentials, Various website credentials, and confidential information stored in cookies. It stores the confidential information in encrypted format.
• Blocks Antivirus updates as well as Google updates on the victim machine
• Connects to a compromised domain going-wide.net and downloads newer variant of itself which was saved as:
  • (Temp)ky95.tmp.exe [Detected as GAV: Qbot.RP (Trojan)]
• Drops following files on the victim machine:
  • (WINDOWS)system32 a.dll
  • (WINDOWS)system32 d.dll
  • (WINDOWS)system32 kkkkkkk
  • (WINDOWS)system32 n.dll
  • (WINDOWS)system32 ntcore.dll
  • (WINDOWS)system32 o.dll
  • (WINDOWS)system32 p.dll
  • It patches the following system file:
    • (WINDOWS)system32ole32.dll
  • Sample request that it uses to send confidential system information:

    

  • Sample runtime activity log from infected system:

    

  SonicWALL Gateway AntiVirus provides protection against this Information stealing Trojan variant via GAV: Qbot.RP (Trojan) signature.

SonicWALL UTM Research team received reports of a new file infector active in the wild. This new virus infects PE files and uses its own random domain name generator to generate domain names. It then attempts to download and execute malicious files via these domains.

Last time we saw random domain name generation algorithm being used by Conficker Worm to download additional Malware.

Installation:

The virus drops a copy of itself on the system and runs it. It will also inject codes to running processes before dropping a batch file to delete itself.

The injected code generates random domains and tries to download and execute additional Malware. These generated domains are derived from a randomizing function computed from the current UTC system time and date using the Windows API GetSystemTime.

It generates 800 random domains per second until it successfully downloads a Malware from one of the domains.

Dropped Files

It drops a copy of itself at:

• {User}Application Data{random folder (4 Characters)}{random}.exe

In our environment, the virus copied itself as:

• {User}Application DataDyemvaiq.exe – GAV: Murofet.A (Virus)

Other dropped files:

• {User}Application DataKesakuaww.eve

Registry modification

It adds the following registry entry to ensure that the dropped copy of malware starts on every system reboot:

• Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “{ABE1C0BF-B85A-7A2B-01C5-9CAEA05BDB43}”
  Data: “”{User}Application DataDyemvaiq.exe””

• It infects .exe files and uses cavity style of infection to insert malicious code. This allows the virus to infect files without increasing its file size.

Random Domain Name Generation

• Get the current System time and date (UTC Format)
• Compute based on timestamp to generate Ascii characters [a-z].
• Generate Domain Name from characters [a-z] not exceeding 16 characters.
• Uses one of the following top level domains to form the URL:
• .com
• .net
• .info
• .biz
• .org
• The generator does not include the seconds and milliseconds in the computation. This makes any infected machine synchronize up to the Minute to generate the same Domain Name.

URL Pattern:

http://{generated_domain}/forum/

Samples of Domain Names observed:

• eiw{REMOVED}gyoqzm.info
• opq{REMOVED}ghpnjux.biz
• njj{REMOVED}tekjpsib.net
• onu{REMOVED}xrtusnyl.org
• trk{REMOVED}xsvuml.com

Download Routine

Infected files attempt to download other malicious file from the generated URL and saves it in %TEMP% directory. It also validates the downloaded file first before executing it. Files downloaded by this virus are getting blocked as GAV: Conficker.gen (Worm)

Sample DNS requests:

SonicWALL Gateway AntiVirus provided protection against this malware via GAV: Murofet.A (Virus) and GAV: Conficker.gen (Worm)

SonicWALL UTM Research team observed a Facebook spam campaign involving a newer variant of Oficla Trojan in the last 3 days. The spam emails arrive with a zip archived attachment which contains the Oficla Trojan executable. The e-mail is drafted to appear as a Facebook password reset notification.

Campaign #1

Attachment: FacebookPassword.zip
Subject: Facebook password has been changed! ID444

Email Body:
————————
How to Avoid Moving Scams
Mass. woman pleads guilty in glass-eating scheme
————————

Campaign #2

Attachmentc: FaceBook_Password_Nr2829.zip
Subject: Your New Facebook password

Email Body:
————————
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.
————————

Campaign #3

Attachmentc: FaceBook_Password_Nr27477.zip
Subject: Facebook Password Reset Confirmation!

Email Body:
————————
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.
————————

Sample email messages looks like:

The executable files inside the attachment looks like this:

If the user opens the malicious attachment then it performs following activities on the victim’s machine:

• Network Activity:
  • It connects to C&C server and receives commands

  

  • It donwloads file from URL specified in command
  • It send process information to remote C&C server

  

• File Activity:

  It creates the following files

  • %temp%4.tmp – Detected as GAV: Oficla.AFZ (Trojan)
  • %temp%5.tmp – Detected as GAV: Scar.CUQT (Trojan)
  • %windirsystem32bfky.ojo – Detected as GAV: Oficla.AFZ (Trojan)
  • %windirsystem32svrwsc.exe – Detected as GAV: Scar.CUQT (Trojan)
• Process Activity:
  • It injects itself into running svchost.exe process
• Registry Activity:
  • It creates HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSvrWsc: %windirsystem32svrwsc.exe ensuring infection on system restart
  • It modifies HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon with new value “Explorer.exe rundll32.exe bfky.ojo bwapp” ensuring malicious dll is loaded on system restart

SonicWALL Gateway AntiVirus provides protection against this Oficla Trojan variant with GAV: Oficla.AHB (Trojan) signature. [517,120 hits recorded in last 3 days]

SonicWALL UTM Research team observed a new wave of Resume spam campaign starting at noon today. The e-mails contain a zip archive attached which contains the malicious executable file inside it. This is different from the FakeAV html campaign that we reported last week.

Resume spam campaign involves e-mails pretending to contain CV document attached with the e-mail. This spam theme was last used by Bredolab authors back in July, 2010. SonicWALL UTM Research team has received more than 20,000 e-mail copies from this spam campaign so far and it is still going on.

Some of the E-mail subjects we have seen in this campaign so far:

• The resume document is attached.
• I have attached the resume.
• Please find attached.
• Enclosed please find.
• Here’s that file that you wanted.
• Enclosed is my CV for your consideration. Thanks

Sample e-mail messages looks like:

The zip archive attachment contains a malicious executable file – cv.exe which is a new variant of FakeAV Downloader Trojan. Upon execution, it leads to the download and installation of FakeAV malware[Antivirus Safebrowser] on the victim machine and asks for payment.

It attempts to connect to multiple malicious domains to download malware executables and related configuration files:

• (REMOVED)lups.com/a/ad
• (REMOVED)hamed.org/any3/5-direct.ex
• (REMOVED)ndconvince.org/avt/avt_db
• (REMOVED)ort.com/customers/getbuild.php

The following files are dropped onto the victim machine:

• (User Favorites)_favdata.dat
• (User Temp)asd94.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
• (User Temp)asd95.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
• (User Temp)asd96.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
• (User Temp)asd97.tmp.exe [Detected as GAV: Conficker.gen (Worm)]
• (User Temp)eapp32hst.dll [Detected as GAV: ZPACK.GEN_187 (Trojan)]
• (User Temp)wscsvc32.exe [Detected as GAV: Conficker.gen (Worm)]
• (Program FilesAnViavt.db
• (Program FilesAnViavt.exe [Detected as GAV: Kryptik.AT_7 (Trojan)]
• (User Temp)dfrgsnapnt.exe [Detected as GAV: FraudLoad.XFUP (Trojan)]

If the user attempts to open any other legitimate executable file, the FakeAV malware will block the application launch and display a fake infection message as seen below for Calculator program:

As seen before in other FakeAV malware analysis, it subsequently starts scanning the system files and displays more fake infections prompting the user to purchase the application in order to clean up the infections.

SonicWALL Gateway AntiVirus provides protection against this FakeAV Downloader Trojan by GAV: Kryptik.AJD (Trojan) signature.

SonicWALL UTM Research team observed a high volume of FakeAV related e-mail spam campaign during the last two days. These e-mails arrive with a malicious HTML attachment and used different themes to lure users into opening the file. The HTML attachment will eventually redirect users to a FakeAV drive-by download web page.

SonicWALL UTM Research team has received more than 200,000 e-mail copies from this spam campaign so far and it is still going on.

The following are the email samples used in this campaign:

Sample #1
Subject: Employment letter for visa application
Attachment: jun wang letter.html
Email Body:
————————
Hi:

Thank you
————————

The e-mail message looks like below:

Sample #2
Subject: find a copy of the letter
Attachment: copy of the letter.html
Email Body:
————————
Hello

Thank you
————————

The e-mail message looks like below:

Sample #3
Subject: Invoice for Floor Replacement
Attachment: Invoice-Stocketon.html
Email Body:
————————
Hi,
Please see attached invoice for stockton floor project. Thanks!
————————

The e-mail message looks like below:

Malware Installation:

This instance of FakeAV spam wave used an HTML file attachment that redirects users to a FakeAV download page instead of the usual Trojan downloader we’ve seen before and covered in this previous SonicAlert

Once the user opens the HTML file attachment, it will redirect to this webpage-{hxxp://dark-[removed]in.com/x.html} with following message:

Soon after, the user will see a fake virus infection alert prompting to download a Microsoft Security Assessment Tool to fix the problem.

Regardless of the user input to the alert window, it will show the fake AV scanning seen below:

After it finishes scanning, it will show the message below to continue removing detected Viruses. At this point, the User’s computer is not yet infected but only made to believe so that the User will unknowingly continue to download and install the FakeAV.

If the user clicks on remove all button, it will prompt for the downloading of the FakeAV installer.

SonicWALL Gateway AntiVirus provided protection against these spammed FakeAV variants via following signatures:

• GAV: VBS.Drost1 (Trojan)- 14 million hits in last 48 hours
• GAV: Suspicious#fakeav_14 (Trojan) – 1,416 Hits