Artemis.A, New InfoStealer in the Wild. (January 26, 2017)

By

The Sonicwall Threats Research team observed reports of a new InfoStealer family named GAV: Artemis.A_43 and actively spreading in the wild.

Artemis malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%Local SettingsTempbWJgVKbnTS6wTt4QCOE6hTQ9fb1Sv1yGIXx.exe

    • Detected as GAV: Artemis.A_43 (Trojan)

  • %Userprofile%Local SettingsTempTrojan.exe

    • Detected as GAV: Artemis.A_43 (Trojan)

  • %Userprofile%Local SettingsTempTrojan.exe.tmp

    • Trojan.exe.tmp [Key logs data ]

The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

    • “%Userprofile%Local SettingsTempTrojan.exe” ..

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

    • “%Userprofile%Local SettingsTempTrojan.exe” ..

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.

The malware retrieves a list of running processes and websites visited by user and send it to its own C&C server by Bas64 format.

The Malware installs key Logger on the target machine and saves data into Trojan.exe.tmp file, here is an example:

The malware gathers data such as following examples:

  • COMPUTERNAME

  • USERNAME

  • Date

  • Windows version

Command and Control (C&C) Traffic

Artemis performs C&C communication over 1177 port.

The malware sends your Computer information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Artemis.A_43 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.