Infostealer Trojan that tracks user activity
The Dell SonicWall Threats Research Team received reports of an infostealer Trojan that aims at gathering information about the victim system and passes it to the attacker. Some of the information passed to the attacker includes the programs and shell commands being executed by the user when the Trojan is running.
We found the Trojan to be hosted on a legitimate website tala[removed].com/sem/xp.exe which is still active at the time of writing this blog. The Trojan gets downloaded from this link as xp.exe with WinRar icon:
It drops the following files on the system:
- %ProgramData%MicrosoftWindowsStart MenuProgramsStartupsystem.pif - Copy of itself
- %APPDATA%Roamingofficewinword.exe - Copy of itself
It creates the following Mutexes on the system to mark its presence:
The Trojan adds the following key to the Windows registry to enable startup after reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "%APPDATA%Roamingofficewinword.exe"
It makes the following changes to the registry in order to bypass firewalls:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapProxyBypass="1"
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapIntranetName="1"
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapUNCAsIntranet="1"
It drops the following additional files on the system:
- %APPDATA%LocalTempUuU.uUu - This contains the time at which the Trojan was executed
- %APPDATA%LocalTempXxX.xXx - This contains the time at which the Trojan was executed
- %APPDATA%LocalTempXX--XX--XX.txt - a 230kB temporary text file
- %APPDATA%LocalTempteste.vbs - This VB Script lists the Firewall and Antivirus Products present on the victim system and copies them onto a file teste.txt
We observed the Trojan communicating with data3.sytes.net on TCP port 9090 where it sends information about the activity performed by the user when the Trojan is executing. Some of the activities that were captured during our analysis were:
- Programs being opened
- Folders being opened
- Commands executed in Shell
Below is a screenshot of sample network traffic from this infostealer:
In addition, it performs the following:
- Stops the Windows firewall by executing net stop mpssvc
The main goal of this Trojan is to harvest information on the infected system and relay it to the attacker. During our analysis the information that was passed was limited to programs, commands and files opened by the user. The Trojan can be considered noisy as it performs a number of activities and does not try very hard to conceal its presence, the names of the Mutexes also indicate the non-stealthy nature of this Trojan.
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: Spatet.AA_2 (Trojan)