Artemis.A, New InfoStealer in the Wild.

The Sonicwall Threats Research team observed reports of a new InfoStealer family named GAV: Artemis.A_43 and actively spreading in the wild.

Artemis malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

• %Userprofile%Local SettingsTempbWJgVKbnTS6wTt4QCOE6hTQ9fb1Sv1yGIXx.exe

  • Detected as GAV: Artemis.A_43 (Trojan)

• %Userprofile%Local SettingsTempTrojan.exe

  • Detected as GAV: Artemis.A_43 (Trojan)

• %Userprofile%Local SettingsTempTrojan.exe.tmp

  • Trojan.exe.tmp [Key logs data ]

The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

  • "%Userprofile%Local SettingsTempTrojan.exe" ..

• HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun5cd8f17f4086744065eb0992a09e05a2

  • "%Userprofile%Local SettingsTempTrojan.exe" ..

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.

The malware retrieves a list of running processes and websites visited by user and send it to its own C&C server by Bas64 format.

The Malware installs key Logger on the target machine and saves data into Trojan.exe.tmp file, here is an example:

The malware gathers data such as following examples:

• COMPUTERNAME

• USERNAME

• Date

• Windows version

Command and Control (C&C) Traffic

Artemis performs C&C communication over 1177 port.

The malware sends your Computer information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Artemis.A_43 (Trojan)