Drive by download leads to RAT Trojan

November 8, 2012

Dell SonicWALL Threats Research team discovered a RAT Trojan spreading through drive-by downloads from malicious links. The links were found hosting a malicious java applet under the guise of an online game. Once the applet is executed, it proceeds to download a Dark Comet RAT Trojan hosted on dropbox and executes it. Dark Comet is a remote administration tool but is often used for malicious purposes because of its Trojan like capabilities. In this instance, the RAT was used to capture the user's keystrokes along with relevant window information and upload it to a remote server.

Infection Cycle

  • The drive by download kicks in once the malicious page is visited. The security warning is shown as result of the Java applet being signed by a self-signed DSA certificate.

  • If an unwary user decides to allow the applet to run, it silently downloads and executes the RAT in background

  • The RAT is hosted on dropbox and the link to it is passed as a parameter to the Java applet as show below

Once executed the RAT Trojan performs the following activities:

  • It creates copies of itself in:
    • %APPDATA%rundll32.exe [Detected by GAV: Fynloski.AA_5 (Trojan)]
    • %USERPROFILE%My DocumentsMSDCSCmsdcsc.exe [Detected by GAV: Fynloski.AA_5 (Trojan)]

  • It uses the following misleading icon:

  • It creates a startup entry to ensure infection on reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:MicroUpdate:"%USERPROFILE%My DocumentsMSDCSCmsdcsc.exe"

  • The RAT uses an encrypted configuration file. During our analysis we were able to obtain the decrypted version of the configuration file seen below. Some of key features used are explained:

  • It captures users keystrokes and stores it in:
    • %APPDATA%dclogs{YYYY-MM-DD-H}.dc

  • The keystrokes are captures along with the relevant window titles as shown below:

  • It uploads captured data to a remote server over Port 1336 or 1444

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV:Fynloski.AA_5 (Trojan)
  • GAV:JavaDL.CX (Exploit)