DropperXSW.A: Registry only malware
The Dell SonicWALL Research team received an interesting malware. After the initial install the malware has no disk presence and uses an unique method to stay resident on the system using only registry keys. Along with its ability to hide the malicious registry keys, this malware is highly resistant towards antivirus detection.
On execution the malware unpacks itself in memory, creates a registry key and copies its binary image onto the value of the key.
The malware then copies its image into another process address space and executes from there, this technique is called Process hallowing or Dynamic Forking. In order to this, it starts svchost.exe in suspended mode:
After this it directly calls SYSENTER with the appropriate system call number to avoid monitoring by security software. The sequence followed to achieve Process Hallowing.
- 0x32 - NtCreateSection
- 0x6C - NtMapViewofSection
- 0x10B - NtUnmapViewof Section
- 0x19 - NtReleaseKeyedEvent
- 0x55 - NtGetContextThread
- 0xD5 - NtSetContextThread
- 0xCE - NtResumeProcess
- 0x101 - NtTerminateProcess
Now running in the process space of svchost.exe, it deletes the original installer. It sets inline hooks on the below mentioned API's in order to conceal its presence on the machine
AutoStart registry key created by the malware to stay resident:
- Run Entry: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
This key contains a script to read another registry key created by the malware using the following code:
- Base64 encoded clean copy of the files mshta.exe and dynwrapx.dll
- Base64 encoded manifest's for both the files
- Shell code which is responsible for reading the contents of BinaryImage32, invoking svchost.exe in suspended mode and copying the bytes into its memory and run it from there (Process Hallowing).
Contains two value keys:
- BinaryImage32 : Contains the malware file
- Loader : Contains 3 Components
The malware also adds itself in the compatible applications list of Terminal Server:
It makes DNS queries for :
Conects to the site:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- DropperXSW.A (Trojan)