Hanove Backdoor Trojan

SonicWALL UTM Research team discovered a new backdoor Trojan in the wild. This backdoor Trojan called Hanove opens a backdoor on the infected system allowing the attacker to send further commands to the compromised system. The Trojan was also observed to be capturing and uploading screenshots of the user's desktop to a remote server at regular intervals.

It performs the following activities:

• It ensures persistence of infection across reboots by creating the following startup script
  All UsersStart MenuProgramsStartupsyncdata.vbs
  

• It captures screenshots of the user's desktop at five second intervals and stores it to the following location
  Documents and Settings{user}Desktopshot.bmp
  

• It renames the captured screenshot using the current timestamp with the following file format
  mm-dd-yy_HH-MM-SS.jpg

• It decrypts obfuscated strings in memory to construct the remote URL it contacts. The decryption routine simply decrements the value of each character by one to get the decrypted string.
  

• It uploads captured screenshot to a remote URL using the custom user agent string "MBVDFRESCT"
  

• It receives the following response if the upload is successful
  

• The remote server it connects to is hosted in Pennsylvania, United States and is active at the time of writing this alert

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

• GAV: Hanove.A (Trojan)
• GAV: Hanove.A_2 (Trojan)