Bredolab Trojan spam campaign

July 16, 2010

SonicWALL UTM Research team observed a wave of Resume spam campaign involving newer variant of Bredolab Trojan starting earlier this week. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable. The e-mail pretends to be arriving from a prospective job applicant and it looks like:

Attachment: resume_41170.zip (contains Myresume.exe)

Subject: Please look my CV, Thank you

Email Body:
------------------------
Hello!

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.
------------------------

A sample email message looks like:

screenshot

The executable files inside the attachment has an icon disguised as a Microsoft Word document file:

screenshot

If the user opens the malicious attachment then it performs following activities on the victims machine:

  • It creates the following file
    • C:WINDOWSSystem32svrwsc.exe - Detected as GAV: Bredolab.ZX (Trojan)
  • It injects itself into the following processes
    • C:WINDOWSsystem32csrss.exe
    • C:WINDOWSSystem32svchost.exe
  • It attempts to access the following files and fails, possibly looking for a prior infection
    • (Application Data)MicrosoftOFFICETEMPdoc~1.dat
    • (Application Data)MicrosoftOFFICETEMPdoc~2.dat
  • It connect to a predetermined malicious domain musiceng.ru and sends process information

    screenshot

  • It creates following registry keys to ensure svrwsc.exe starts as service on every system restart under the name "Windows Security Center Service" :
    • HKLMSYSTEMCurrentControlSetServicesSvrWscType: 0x00000010
    • HKLMSYSTEMCurrentControlSetServicesSvrWscStart: 0x00000002
    • HKLMSYSTEMCurrentControlSetServicesSvrWscErrorControl: 0x00000000
    • HKLMSYSTEMCurrentControlSetServicesSvrWscImagePath: "C:WINDOWSSystem32svrwsc.exe"
    • HKLMSYSTEMCurrentControlSetServicesSvrWscDisplayName: "Windows Security Center Service"
    • HKLMSYSTEMCurrentControlSetServicesSvrWscObjectName: "LocalSystem"
    • HKLMSYSTEMCurrentControlSetServicesSvrWscDescription: "The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service."

SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.ZX (Trojan) signature.

screenshot