Cashandler.A: New variant family of InfoStealer Trojan actively spreading in the wild.

September 8, 2017

The SonicWall Capture Labs Threat Research team has received reports of a new variant family of InfoStealer Trojan [GAV: Cashandler.A] actively spreading in the wild.

Cashandler malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

The Trojan adds the following keys to the Windows registry startup:

Once the computer is compromised, the malware copies its own executable file to Temp folder and runs following commands:

The malware's goal is to collect as much data as possible; attacker's profit based on the level of user information that is collected. Thereby more information collected leads to higher profits.

The malware also performs key logging and steals clipboard data from target and saves in following registry key:

During our research we have noticed that hackers used a free yahoo email address account for their malware,we were able to retrieve their credentials as they were hard coded into the malware. Once the credentials were decrypted, we were able to access the hacker email account.

Command and Control (C&C) Traffic

Cashandler performs C&C communication over HTTP protocol.

The malware sends the victim's Computer information to its own C&C server via following format, here is an example:

SonicWall Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cashandler.A (Trojan)