Data stealing trojan found in the wild (August 14, 2015)

The Dell SonicWall Threats Research team has received reports of a Trojan which leaves no trace behind and steals information from the infected system which is spreading in the wild.

Infection Cycle:

The Trojan uses the following mutex:

• SHIMLIB_LOG_MUTEX

Upon looking at the properties, the trojan is described as an application in Chinese, named Aspirate.

Upon execution, the Trojan creates a copy of itself in the following location:

• %Application Data%sample.exe

It creates a autostart object at:

• C:Documents and SettingsAdminStart MenuProgramsStartupsample.exe

In order to start after reboot the malware creates the following registry key:

• %%USER%softwaremicrosoftwindowscurrentversionrun

To make removal even more difficult, it disables the System Restore:

• HKLMsoftwaremicrosoftwindows ntcurrentversionsystemrestore

The trojan executes these commands:

• C:Windowssystem32svchost.exe -k netsvcs
• C:Windowssystem32vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
• bcdedit /set {default} recoveryenabled No
• bcdedit /set {default} bootstatuspolicy ignoreallfailures

It creates a file and tries to steal information at:

• %Admin%CookiesUIJNQI9V.txt

It tries to connect to the following domains:

• ip-address.es
• ii-tavi.net
• japaneselink.net
• everestmarketinggroup.com
• www.e-m-g.covoutevirtuelle.com
• skprints.com
• kmreich.com
• imanaging.info
• karateserbia.org
• closed.loopia.rs
• easbrain.com
• pinoyjokes.org
• bettercatch.com

It does the following request multiple times to the C&C servers. Once it receives the reply, it sends encrypted information to the servers.

Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:

• GAV: Crowti.A_86(Trojan)