Infostealer Trojan targeting German users

April 25, 2014

The Dell SonicWall Threats Research team is seeing an active spam campaign involving an infostealer Trojan that appears to be targeting German users. The Trojan arrives in the form of emails that masquerade as messages from service providers with attachments of receipts, form notifications or a service invoice written in the German language.

Figure 1: Sample Spam Email

Infection Cycle:

The Trojan uses the following icon to masquerade as a harmless application:

Figure 2: Trojan uses a fake java icon

Upon execution the Trojan checks for the presence of C:myapp.exe file on the system, and terminates itself when found.

Figure 3:Trojan attempting to create C:myapp.exe

If the above file is not present, it will inject itself into svchost.exe to hide its malicious activity further and terminate itself. The original malware executable is deleted by the injected svchost.exe process.

Figure 4: Trojan injects itself into an svchost.exe process

The Trojan also checks if it is running in a virtual environment by querying values for the following registry keys:

  • HKLMHardwareACPIDSDTVBOX__ (VirtualBox)

The Trojan then displays a fake Adobe Reader error warning the user that it is unable to view the file.

Figure 5: Fake Adobe Reader error

The Trojan creates a copy of itself into the following locations:

  • %TEMP%*random file name*.pre [Detected as GAV: Injector.BCIS (Trojan)]
  • %APPDATA%*random directory name**random file name*.exe [Detected as GAV: Injector.BCIS (Trojan)]

To ensure that the infection persists on system reboot, it creates the following registry key:

  • HKLMsoftwaremicrosoftwindowscurrentversionrun[*random*] "%APPDATA%*random directory name**random file name*.exe"

The Trojan then gathers sensitive system information such as the computer name, user name, Windows version, SystemLangID, UserLangID, CPU, GPU and available drives on the infected machine. It encrypts and sends the collected information to its Command and Control server as seen below:

Figure 6: Trojan sending encrypted data
Post to

The following is the decrypted information that was being sent:

Figure 7: Sample of information the Trojan gathered

The Trojan is programmed to send this information to a predetermined list of Command and Control Servers at 3 minutes interval as seen below:

Figure 8:Trojan sending data to different IPs

The following is a list of hard coded Command and Control server URLs that gets decrypted on run-time by the injected code:

Figure 9: Command and Control server URLs,,,,,,,,,,,,,,,

It checks for the presence of various security application processes and system processes on the infected system:

Figure 10: List of running processes being checked

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Inject.BCIS (Trojan)