Wells Fargo Account Update Downloader Trojan (Mar 21, 2012)

SonicWALL UTM Research team observed a spam campaign targetting Wells Fargo users. The emails pretending to be from WellsFargo.com informs the recipient about a fake online transaction and asks the user to open the attached document for more details. The zipped attachment in the email contains a malicious Downloader Trojan.

A sample e-mail message from this campaign looks like:

Subject: Wells Fargo Checking Account Update

Attachment: WellsFargo--CheckingAccount-Status-Report-9YXPZ-March-2012.zip
contains WellsFargo--CheckingAccount-Status-Report-March-2012.exe

Message Body:
wellsfargo.com An update on your checking account activityHere is the update you requested for your Wells Fargo checking account XXXXXX0375. Balance SummaryEnding Balance:$4,672.21 Available Balance(as of Tue, 20 Mar 2012 15:19:37 +0100 ):$5,812.49 Deposits ONLINE TRANSFER REF #IBE7128074 FROM CHECKING XXXXXX9245 ON 01/22/12 $757.00 This information is accurate as of Tue, 20 Mar 2012 15:13:37 +0100. For the most current balance and more account details, open attached report and go to Account Activity Section for this account.If you have questions, Wells Fargo Online Customer Service is available 24 hours a day, 7 days a week. Call us at 1-800-956-4442 or sign on to send a secure email.wellsfargo.com | Fraud Information CenterNote about balances: Ending balance reflects transactions that have posted to your account and does not reflect pending deposits or withdrawals. The available balance is an indication of funds that are available to you today; however, it may not reflect all transactions that you may have initiated or authorized. Available Balance - This is the amount of money you have in your account that is available for withdrawal. It reflects the latest balance based on transactions posted to your account, including deposited funds, paid checks, withdrawals, and purchases made with your ATM Card or Debit Card. Please note that some transaction activity (such as outstanding checks and some Debit Card purchases) may take several days to post to your account and, therefore, may not be reflected in the available balance. Some deposits made in a store or ATM may not be immediately available for withdrawal or to cover other transactions. Please do not reply to this email directly. To ensure a prompt and secure response, sign on to email us. To modify or cancel your alerts, sign on, go to Messages & Alerts, and select Set Up/Modify Alerts.

If the user opens the malicious file, it performs following activities on the victim machine:

• Original process terminates after it starts a svchost.exe process and injects code into it.
• The injected process deletes the original file and drops a copy of original file to Windows System directory:
  
  • (SYSTEM32)C9E053BA24B5EF92B076.exe (Random 20 character Alphanumeric filename)

• Modifies WinLogon Registry to ensure that it runs on system reboot:
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Userinit = "(System32)userinit.exe,(System32)C9E053BA24B5EF92B076.exe,"

• Drops Fake Trusteer Trojan at (Windows)RPService.exe and runs it as:
  • (Windows)RPService.exe --install

• Performs registry modifications:
  • HKLMSOFTWAREClasses.eze: "MyEze.1"
  • HKLMSOFTWAREClassesMyEze.1shellopencommand: "%SystemRoot%system32RPService.exe %0 %1 %2"
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportMgmtService.exeDebugger: "RPService.exe"
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportService.exeDebugger: "RPService.exe"
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup-Full.exeDebugger: "RPXService.exe"
  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRapportSetup.exeDebugger: "RPXService.exe"

• Drops a copy of itself at (Program Files)TrusteerRapportbinRapportService.exe
• Attempts to connect to fast-flux domains skironi.com, herdcave.ru and sends following requests:
  
  • GET /home/credit.php?id=(REMOVED)&stat=0
  • POST /paris.php
• Connects to a compromised site located in U.S., downloads additional malware executables to User Temp directory and runs it:

  Zeus Bot (zero AV detection at the time of writing this alert)

  • Downloads hotel(REMOVED)/francais/bk/aas.exe
  • It drops and runs a batch file (Temp)tmp61db87ea.bat to disable automatic windows update and windows security services.

    

  • It drops a copy of itself to (AppData)Udtakapotoza.exe and runs it
  • It drops and runs another batch file (Temp)tmp61db87ea.bat to delete the original file.

    

  Rootkit dropper

  • Downloads hotel(REMOVED)/francais/bk/umc.exe
  • Copies itself to User directory as (Documents and Settings)UserName2g9oda1c0l.exe
  • Creates registry entry to ensure that it runs on system reboot:
    • HKEY_USERSUserIDSoftwareMicrosoftWindowsCurrentVersionRun 2g9oda1c0l = "(Documents and Settings)UserName2g9oda1c0l.exe"

  • Attempts to connect to following domains using https:

    

  • Downloads a rootkit from one of the above servers using SSL and then goes dormant for 12 hours.

    
    

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

• GAV: Trustezeb.A_7 (Trojan)
• GAV: FakeTruste.A (Trojan)
• GAV: Injector.DKFL (Trojan)
• GAV: MalAgent.LSS (Trojan)