Infostealer Trojan with Bitcoin mining and DDoS features (May 30, 2013)

The Dell SonicWALL Threats Research team came across a new Infostealer Trojan with Bitcoin mining and DDoS capabilities. This Trojan steals sensitive information from the user machine and uses the compromised system for Bitcoin mining activity as well as DDoS attacks.

Infection Cycle:

Upon execution, the Trojan creates the following files on the victim machine:

• %Program Files%Common FilesNT Kernal0txklyboag.exe
• %APPDATA%WinDefendersTTmacromedia.exe
• %APPDATA%WinDefendersTTshell.exe
• %APPDATA%WinDefenderstusft_ext.exe.vbs
• %USERPROFILE%Start MenuProgramsStartupSkype.lnk

It adds the following registry key to ensure infection upon reboot:

• HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunNT Kernal & System: "%Program Files%Common FilesNT Kernal0txklyboag.exe"

The Trojan also adds multiple registry keys to prevent executables belonging to various Host AntiVirus and Security Tools from running. The images below show the code where the registry key values are being constructed for various security programs:

The following are examples of registry keys that got added on the infected system to prevent HijackThis and Malwarebytes from running:

• HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionshijackthis.exeDebugger: "gevihsc_.exe"
• HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmbam.exeDebugger: "enxizg_.exe"
• HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmbamgui.exeDebugger: "bzshdt_.exe"

The Trojan injects code into the process wuauclt.exe which is a genuine windows process. It also checks the presence of the following softwares and if found, terminates.

It injects the dropped executable in NT Kernal0 folder into running processes and this executable acts as a watcher process for wuauclt.exe. If the injected wuauclt.exe process is terminated, the watcher process will respawn the wuauclt.exe and injects it with malicious code.

The Trojan looks for following applications on the victim machine and steals User credentials, Connection details, Game Keys, and User's contact list:

• FileZilla
• CoreFTP
• SmartFTP
• FlashFXP
• WinSCP 2.0
• FTP Commander Deluxe
• Skype
• PuTTy
• Valve Steam client
• EA Origin client
• Blizzard Entertainment games, League of Legends, and MineCraft

The Trojan attempts to connect to the following domains to upload stolen information and downloads the bitcoin mining files:

• betabros.in
• betabros.com
• poacher3.ipchina163.com

We also found traces of DDoS commands like slowloris, rudy, condis, httpget and udp as seen below:

Below is the description for these commands posted on underground forums:

• !slowloris - Connects to a webserver through several hundred sockets per bot, and sits on it.
• !udp - Sends mass amounts of random packets to target host/ip, perfect for home connections(SYNTAX: !udp host/ip port time)
• !condis - Rapid connect/disconnect flood, it takes down gaming(ie. CSS) and teamspeak/VoiP servers like gravy(SYNTAX: !condis host/ip port time)
• !httpget - Rapidly sends hundreds of HTTP GET requests every second from each bot.
• !rudy - Slowly posts data to existing forms on a given website in many concurrent submissions.

The Trojan also disables following Windows system services:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Neurevt.A_4 (Trojan)
• GAV: Troj.SPNR_65 (Trojan)
• GAV: Kryptik.BCFY (Trojan)