Data stealing Trojan leaves no trace behind
The Dell SonicWall Threats Research team has received reports of a data stealing Trojan that leaves no trace behind after infection. This Trojan appears to be distributed through compromised legitimate websites. Upon successful execution and transmission of stolen data, this Trojan deletes itself and leaves no files and signs of infection on the victim’s machine.
Upon execution the Trojan creates a copy of itself in the following location:
- %TEMP%winlog.exe [Detected as GAV: Kryptik.LOG (Trojan)]
The Trojan then makes a DNS query to the following domain:
It then downloads an additional component.
Figure 1:Trojan downloading an encrypted file from pastebin.com
In order to start after reboot the malware makes a copy of itself in the following location:
- %%USERPROFILE%Start MenuProgramsStartupb3d7ad373951cd040fb05f6d6f5bf314.exe [Detected as GAV: Kryptik.LOG (Trojan)]
This trojan is capable of logging keystrokes and running processes that are written out to a file.
- %TEMP%winlog.exe.tmp (log file)
Figure 2:Sample of keystrokes logged
It then periodically sends out the information gathered to a remote server.
Figure 3:Trojan connecting to a remote host
Figure 4:Sample of data sent to a remote host which includes Computer name, Operating system and date
After a successful infection and data collection, the Trojan then deletes all copies of itself and all additional components from the victim’s machine and invokes a system shutdown.
Figure 5:Trojan shutting down the victim’s machine
Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server. This type of malware execution is not commonly used as the infection will not be persistent. Although, it is a good technique to bypass antivirus detection. Cybercriminals can also use the information stolen to later deploy a more powerful persistent threat on the victim’s machine that will defeat its security defenses.
Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:
- GAV: Kryptik.LOG (Trojan)
- IPS SID:2092 Kryptik.LOG Activity