Ackantta Trojan spam campaign

August 19, 2010

SonicWALL UTM Research team observed a Twitter spam campaign involving a newer variant of Ackantta Trojan in the last 7 days. The spam emails arrive with a zip archived attachment which contains the Ackantta Trojan executable. The e-mail is drafted to appear as a Twitter invitation from a friend.

Attachment: Invitation Card.zip (contains document.doc ... .exe)

Subject: Your friend invited you to Twitter!

Email Body:
------------------------

New to Twitter? Sign up now

Have an account? Sign in

Your friend invited you to twitter!

Twitter

Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question:

What are you doing?

To join or to see who invited you, check the attachment.
------------------------

A sample email message looks like:

screenshot

The executable files inside the attachment looks like this:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim's machine:

  • Network Activity:
    • It connects to whatismyip.com and attempts to obtain victims IP address

      • screenshot

    • It sends a request to a known malicious domain

      • screenshot

    • It resolves multiple SMTP servers and attempts to propagate by mass emailing
  • File Activity:

    It creates the following files

    • %windir%system32HPWuSchdb.exe (copy of document.doc ... .exe) - Detected as GAV: Ackantta.TW (Trojan)
    • %windir%system32reader_s1.exe - Detected as GAV: Ackantta.TW (Trojan)
    • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontenttimer.xul - Detected as GAV: Dursg.G (Trojan)
    • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}install.rdf
    • %ProgramFiles%Mozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome.manifest
  • Process Acitivty:

    It creates the following process in memory

    • %AppData%SystemProclsass.exe
    • %windir%system32reader_sl.exe
    • %windir%system32HPWuSchdb.exe
    • %windir%system32hp-357.exe
    • %ProgramFiles%Internet ExplorerIEXPLORE.EXE
  • Registry Activity:
    • It creates HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: C:WINDOWSsystem32HPWuSchdb.exe under the name "HP Software Updater" ensuring infection on system restart
    • It creates HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: C:WINDOWSreader_sl.exe under the name "Adobe Reader Speed Launcher" ensuring infection on system restart
    • It disables Windows Security Center Service by modifying HKEY_LOCAL_MACHINESystemCurrentControlSetServiceswscsvc:Start
    • It disables Error Reporting Service by modifying HKEY_LOCAL_MACHINESystemCurrentControlSetServicesERSvc:Start
    • It disables User Account Control(UAC) by modifying HKEY_LOCAL_MACHINESoftwareMicrosoftSecurity Center:EnableLUA
    • It disables User Account Control(UAC) notification by modifying HKEY_LOCAL_MACHINESoftwareMicrosoftSecurity Center:UACDisableNotify
  • Firefox Extension:

    As part of the infection process it installs timer.xul as a firefox extension which embeds a script in the section of the certain pages rendered in the browser.

    screenshot

SonicWALL Gateway AntiVirus provides protection against this Ackantta Trojan variant with GAV: Ackantta.TW (Trojan) signature. [12770 hits recorded in last 7 days]

screenshot