Antivirus Security Pro FakeAV Downloader - Onkods
The Dell SonicWall Threats Research team has observed multiple variants of a new FakeAV downloader Trojan being actively spammed in the wild. The FakeAV downloader also known as Onkods arrives as an e-mail attachment pretending to be a JPEG image. It downloads and installs a new FakeAV Trojan Antivirus Security Pro when an unsuspecting user opens the e-mail attachment. The Downloader and FakeAV Trojan utilizes multiple anti-debugging and anti-detection techniques to prevent heuristic detection and automated analysis.
Here is a list of e-mail subjects and attachment names from various spam e-mails that were captured over the last week involving Onkods Trojan:
Sample e-mail messages look like below:
A closer look at the Onkods Downloader Trojan binary revealed that certain API calls and Windows Library names were encrypted to deter heuristic detection. These are network activity and filesystem activity related API calls that are decrypted on runtime.
- Encrypted API Calls
- Encrypted Windows Library name
If the user opens the attachment, it connects to a predetermined remote server to download the FakeAV Trojan. The downloader uses a custom User-Agent string as seen below:
The server hosting these FakeAV Trojan binaries are located in Lithuania. It then runs the downloaded executable which will begin the FakeAV infection cycle.
Antivirus Security Pro
The FakeAV Trojan checks for the presence of any of these two files c:sd.dbg and c:sd2.dbg and terminates itself if found. It also checks for the presence of Virtual environments like Virtual Box, Virtual PC, VMWare, and Qemu before starting the infection cycle. While we have seen many other malware families that are VM-aware, this is unique as it uses more discreet API calls - SetupDiGetClassDevs, SetupDiEnumDeviceInfo, and SetupDiGetDeviceRegistryProperty to enumerate hardware and detect the Virtual Environment as seen below:
It disables the Microsoft Windows security and update processes by running these commands:
It then displays a fake Windows Security Center alert searching for a solution to fix virus activity which is followed by Antivirus Security Pro scanning:
The following screens show the usual Fake Antivirus scareware tactics:
- Fake scanning and infection alerts.
- Blocks legitimate programs from running.
- Prompts user to buy upgrade to cleanup infection.
We were able to extract the following affiliate ID, payment gateway, and support URLs during our analysis:
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Onkods.S (Trojan)
- GAV: Kryptik.BLMB (Trojan)
- GAV: FakeAV.BLMB (Trojan)