Data stealing Trojan leaves no trace behind (Mar 27, 2015)

The Dell SonicWall Threats Research team has received reports of a data stealing Trojan that leaves no trace behind after infection. This Trojan appears to be distributed through compromised legitimate websites. Upon successful execution and transmission of stolen data, this Trojan deletes itself and leaves no files and signs of infection on the victim’s machine.

Infection Cycle:

Upon execution the Trojan creates a copy of itself in the following location:

• %TEMP%winlog.exe [Detected as GAV: Kryptik.LOG (Trojan)]

The Trojan then makes a DNS query to the following domain:

• nohostss.zapto.org

It then downloads an additional component.

Figure 1:Trojan downloading an encrypted file from pastebin.com

In order to start after reboot the malware makes a copy of itself in the following location:

• %%USERPROFILE%Start MenuProgramsStartupb3d7ad373951cd040fb05f6d6f5bf314.exe [Detected as GAV: Kryptik.LOG (Trojan)]

This trojan is capable of logging keystrokes and running processes that are written out to a file.

• %TEMP%winlog.exe.tmp (log file)

Figure 2:Sample of keystrokes logged

It then periodically sends out the information gathered to a remote server.

Figure 3:Trojan connecting to a remote host

Figure 4:Sample of data sent to a remote host which includes Computer name, Operating system and date

After a successful infection and data collection, the Trojan then deletes all copies of itself and all additional components from the victim’s machine and invokes a system shutdown.

Figure 5:Trojan shutting down the victim’s machine

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server. This type of malware execution is not commonly used as the infection will not be persistent. Although, it is a good technique to bypass antivirus detection. Cybercriminals can also use the information stolen to later deploy a more powerful persistent threat on the victim’s machine that will defeat its security defenses.

Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:

• GAV: Kryptik.LOG (Trojan)
• IPS SID:2092 Kryptik.LOG Activity

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.