New Tor-based Information stealing Trojan

December 27, 2013

The Dell Sonicwall Threats Research team has observed reports of a new family of Information stealing Trojan that utilizes Tor for its Command and Control communication. The Infostealer Trojan arrives via drive-by download and is capable of stealing sensitive user information from the infected machine which is relayed back to a remote server via Tor network.

Tor is a popular free software and an open network that helps user maintain online anonymity. Tor conceals user location by directing Internet traffic through a distributed network of more than four thousand relays run by volunteers all around the world. We are seeing a steady increase in number of malware families incorporating Tor support for concealing Command and Control communication.

Infection Cycle:

Upon execution the malware drops a copy of itself into the common user startup folder as:

  • %All Users%Start MenuProgramsStartupspoolsv.exe [Detected as GAV: Fsysna.A (Trojan)]

It then executes the dropped copy with the original malware executable path as a command line argument and terminates itself. The new process sleeps for five seconds and deletes the original malware executable using the command line argument.

The malware starts gathering sensitive system information on the victim machine which includes:

  • External IP address by connecting to a legitimate site
  • System MAC address
  • Computer Name
  • User account permission
  • Logs user keystrokes

The malware installs a hook for low level keyboard event and logs the user keystrokes to a system.log file created in the user temp directory.

It logs the time, current active window title, and user keystrokes as seen below:

The logged information for currently active application gets matched against two predetermined regular expressions before being written into system.log file, when the user switches context to a new application window.

The Trojan also enumerates through running processes and extracts information by applying the regular expressions in each of the allocated virtual memory page.

The malware executable comes with an embedded Tor network connector binary (not malicious) that is dropped as %Temp%tor.exe on the infected system. The Tor program is further used by the malware to send all the captured information in Base64 encrypted format to the following URLs:

  • http://5ji235jysrvwfgmb.onion/recvdata.php [To transfer information extracted by matching regular expressions]
  • http://5ji235jysrvwfgmb.onion/sendlog.php [To transfer keylogger system.log file]

The tor.exe process is terminated after every upload of stolen information from the victim machine. The malware uploads the existing keylog file system.log and then deletes it every 24 hours.

Dell SonicWALL UTM appliance provides protection against this threat with the following signature:

  • Fsysna.A (Trojan)