New variant of Atros InfoStealer actively spreading in the wild.

March 24, 2017

The Sonicwall Threats Research team observed reports of a new variant of Atros InfoStealer actively spreading in the wild.

Atros malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%Application Dataoougw.exe

  • %Userprofile%Local SettingsApplication DataGDIPFONTCACHEV1.DAT

  • %Userprofile%All UsersApplication Data[ Computer Name ][ Date ].jpg [ Computer Screen Shot ]

The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:

  • HKLMSoftwareMicrosoftWindowsCurrentVersionRuncd482369-09b5-4f6f-929d-87c40c6be1bc

    • "%Userprofile%Application Dataoougw.exe"

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware's goal is to collect as much data as possible; attacker's profit based on the level of user information that is collected. Thereby more information collected leads to higher profits.

The malware also performs key logging, takes screen shots, and steals clipboard data from target user.

The Malware installs key Logger on the target machine and extracts passwords from the following web browsers:

  • Chrome

  • Firefox

  • Internet Explorer

  • Opera

  • Safari

The Malware saves data into Browsers.txt file and transfers to its own C&C server.

Command and Control (C&C) Traffic

Atros performs C&C communication over 80 port.

The malware sends your Computer information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Downloader.A_986 (Trojan)