Downloader Trojan that can drop multiple malware
The Dell Sonicwall Threats Research team have discovered a downloader Trojan spreading through email. It can drop various kinds of malware on the system. In this case it dropped ransomware that remained dormant on the system.
Infection Cycle:
The Trojan uses the following PDF icon:
The Trojan makes the following DNS queries:
- stun4.l.google.com
The Trojan adds the following files to the filesystem:
- %TEMP%document.exe [Detected as GAV: Upatre.AF_8 (Trojan)]
- %WINDOWS%VTlrgieTqjTrJGf.exe [Detected as GAV: Ransomer.DYG (Trojan)]
The Trojan reports infection to a C&C server using the User Agent "Mazilla/5.0":
The Trojan downloads an additional malware executable (kora_k12.pdf) from a remote webserver:
The file is encrypted. During analysis we were able to determine the location of the decryption routine in the executable:
After decyption, the file VTlrgieTqjTrJGf.exe is written to disk. The file appears to be a ransomware Trojan but remains dormant on the filesystem. It uses the following icon:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Upatre.AF_8 (Trojan)
- GAV: Malagent.H_2691 (Trojan)
- GAV: Ransomer.DYG (Trojan)