Malware claiming to be Heartbleed test tool
The Dell SonicWALL Threats Research team came across a malicious executable that claims to be the recently discovered Heartbleed vulnerability test tool. The executable is a new variant of a Backdoor Trojan malware family Zacom. This is yet another example of how quickly Cybercriminals try to take advantage of a new popular topic to spread malware.
The Heartbleed vulnerability is a critical information disclosure bug in the TLS and DTLS implementations of OpenSSL that was discovered earlier this week. More information about the vulnerability and our analysis is available here.
The malware executable file looks like below:
The malware upon execution will generate a unique ID utilizing the infected ComputerName and UniqueID information as shown below:
It then registers the infection with a remote Command and Control server for which the IP address was found to be hardcoded in the malware. The command and control server responds back with a unique string starting with either su or sp followed by 9 digit numbers.
It further creates the following files on the system:
- %User Local Settings%Temphello032.txt [Temporary text file to check for write permission and bitness]
- %User Local Settings%Tempmsbridge.exe [Copy of itself detected as GAV: Zacom.A_2 (Trojan)]
It also creates a registry entry to ensure that the dropped malware executable runs on system reboot:
- HKCUSoftwareMicrosoftWindowsCurrentVersionRun Msbridge = %User Local Settings%Tempmsbridge.exe
The original malware process terminates after creating a new process to start the dropped executable with the following arguments:
%User Local Settings%Tempmsbridge.exe %PATH TO THE ORIGINAL EXECUTABLE FILE% 4194304
The new process will utilize the path argument to delete the original malware executable file.
It then attempts to communicate with the hardcoded command and control server IP, waiting for further commands. The following network activity indicators were observed during our analysis:
As seen above, the malware has support for downloading updates and additional malware as well as upload stolen information from the infected machine. The malware also uses a custom generic User Agent string for its communication. The command and control server is hosted in Hong Kong and appears to be active at the time of analysis.
Dell SonicWALL UTM appliance provides protection against this threat with the following signatures:
- GAV: Zacom.A (Trojan)
- GAV: Zacom.A_2 (Trojan)
- IPS:3686 Zacom heartbleed malware activity 1
- IPS:3688 Zacom heartbleed malware activity 2