Info stealer module leaks process information
The Dell Sonicwall Threats Research team have discovered an info stealer Trojan that is possibly as a module for part of a larger botnet crimeware system. The sample analysed here leaks information about the currently running processes on the system and contains functionality to capture desktop screenshots.
The Trojan uses the following icon to masquerade as a harmless PDF file:
The Trojan adds the following files to the filesystem:
- %WINDIR%ueubupb.hiv (encrypted file)
- %WINDIR%wyv.lta (encrypted file)
The Trojan periodically sends encrypted data to a remote webserver:
During analysis we were able to locate the routine used to encrypt the outgoing data:
It was discovered that the data being sent is a list of running processes on the system:
This Trojan is believed to be part of the Nymaim malware family.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: Nymaim.AY (Trojan)