New Bitcoin infostealer Trojan spotted in the wild

December 13, 2013

The Dell Sonicwall Threats Research team have received reports of a new info stealer Trojan aimed at Bitcoin users. As the value of Bitcoin continues to rise and reach relative stability, attackers are continually coming up with ways to either steal or generate bitcoins using compromised machines. The following Trojan contains the ability to steal various types of information from the victim machine including Bitcoin wallet.dat files.

Infection cycle:

The Trojan uses the following icon:

The Trojan makes the following DNS query:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%asvepwinupdate.exe (AutoIt executable)
  • %USERPROFILE%asvep5943564.IFW (encoded AutoIt script)
  • %USERPROFILE%asvep20070.RQT [Detected as GAV: NetWiredRC.I#enc (Trojan)]
  • %USERPROFILE%asvep65901.PPZ (command configuration file)
  • %USERPROFILE%asvep7246235.vbe
  • %USERPROFILE%asvepstart.cmd
  • %USERPROFILE%asvepstart.vbs

The Trojan adds the following keys to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce asvep "%USERPROFILE%asvepstart.vbs"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun winlogon "%WINDOWS%System32mshta.exe"

The Trojan binary contains an embedded RAR archive that contains the malicious files listed above:

5943564.IFW contains an encoded AutoIt script. The decoded version of the script contains some anti-debugging, anti vm and anti anti-virus instructions:

The AutoIt script is started by start.cmd:

The configuration file instructs the script to hide the process, disable UAC, protect the process by adding anti hooking features and prevent the task manager from loading.

The script decrypts and runs 20070.RQT [Detected as GAV: NetWiredRC.I (Trojan)] by injecting code into %WINDOWS%System32mshta.exe

The following encrypted communication was observed between the decrypted NetWiredRC.I Trojan and bitcoins.dd-dns.de:

The NetWiredRC.I executable is an infostealer Trojan capable of stealing data from the victim machine including Bitcoin wallet.dat files.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Netwired.A (Trojan)
  • GAV: NetWiredRC.I (Trojan)
  • GAV: NetWiredRC.I#enc (Trojan)