Data stealing Trojan leaves no trace behind

March 27, 2015

The Dell SonicWall Threats Research team has received reports of a data stealing Trojan that leaves no trace behind after infection. This Trojan appears to be distributed through compromised legitimate websites. Upon successful execution and transmission of stolen data, this Trojan deletes itself and leaves no files and signs of infection on the victim’s machine.

Infection Cycle:

Upon execution the Trojan creates a copy of itself in the following location:

  • %TEMP%winlog.exe [Detected as GAV: Kryptik.LOG (Trojan)]

The Trojan then makes a DNS query to the following domain:

  • nohostss.zapto.org

It then downloads an additional component.

Figure 1:Trojan downloading an encrypted file from pastebin.com

In order to start after reboot the malware makes a copy of itself in the following location:

  • %%USERPROFILE%Start MenuProgramsStartupb3d7ad373951cd040fb05f6d6f5bf314.exe [Detected as GAV: Kryptik.LOG (Trojan)]

This trojan is capable of logging keystrokes and running processes that are written out to a file.

  • %TEMP%winlog.exe.tmp (log file)

Figure 2:Sample of keystrokes logged

It then periodically sends out the information gathered to a remote server.

Figure 3:Trojan connecting to a remote host

Figure 4:Sample of data sent to a remote host which includes Computer name, Operating system and date

After a successful infection and data collection, the Trojan then deletes all copies of itself and all additional components from the victim’s machine and invokes a system shutdown.

Figure 5:Trojan shutting down the victim’s machine

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server. This type of malware execution is not commonly used as the infection will not be persistent. Although, it is a good technique to bypass antivirus detection. Cybercriminals can also use the information stolen to later deploy a more powerful persistent threat on the victim’s machine that will defeat its security defenses.

Dell SonicWALL Gateway AntiVirus and Intrusion Prevention provides protection against this threat with the following signatures:

  • GAV: Kryptik.LOG (Trojan)
  • IPS SID:2092 Kryptik.LOG Activity