Heur.CFG A Malware Uses Encryption to Hide Its Intentions
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Heur.CFG actively spreading in the wild. This time attacker uses Self-Signed encryption for C&C data communication to avoid detection by Anti-Virus programs.
Infection Cycle:
The Malware uses the following icon:
Md5:
-
9F5DF82346249748F6C4A2E681BC33D3
The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
-
Armour =%Userprofile%Malware.exe
-
Once the computer is compromised, the malware starts to communicate with its own domains via following format:
The malware tries to communicate with its own C&C server such as following IPs:
The Malware uses Self-Signed encryption for C&C data communication to avoid detection by Anti-Virus programs, here is an example:
The Malware tries to download some SWF Adobe Flash and executable files from following domains:
Command and Control (C&C) Traffic
Heur.CFG performs C&C communication over 80, 3009 and 23466 ports. The malware sends your system information to its own C&C server via following format, here are some examples:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Heur.CFG (Trojan)