Oficla Trojan Spam Campaign

October 1, 2010

SonicWALL UTM Research team observed a Facebook spam campaign involving a newer variant of Oficla Trojan in the last 3 days. The spam emails arrive with a zip archived attachment which contains the Oficla Trojan executable. The e-mail is drafted to appear as a Facebook password reset notification.

Campaign #1

Attachment: FacebookPassword.zip
Subject: Facebook password has been changed! ID444

Email Body:
------------------------
How to Avoid Moving Scams
Mass. woman pleads guilty in glass-eating scheme
------------------------

Campaign #2

Attachmentc: FaceBook_Password_Nr2829.zip
Subject: Your New Facebook password

Email Body:
------------------------
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.
------------------------

Campaign #3

Attachmentc: FaceBook_Password_Nr27477.zip
Subject: Facebook Password Reset Confirmation!

Email Body:
------------------------
Dear user of facebook.

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.
------------------------

Sample email messages looks like:

screenshot

screenshot

screenshot

The executable files inside the attachment looks like this:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim's machine:

  • Network Activity:
    • It connects to C&C server and receives commands

      • screenshot

    • It donwloads file from URL specified in command
    • It send process information to remote C&C server

      • screenshot

  • File Activity:

    It creates the following files

    • %temp%4.tmp - Detected as GAV: Oficla.AFZ (Trojan)
    • %temp%5.tmp - Detected as GAV: Scar.CUQT (Trojan)
    • %windirsystem32bfky.ojo - Detected as GAV: Oficla.AFZ (Trojan)
    • %windirsystem32svrwsc.exe - Detected as GAV: Scar.CUQT (Trojan)
  • Process Activity:
    • It injects itself into running svchost.exe process
  • Registry Activity:
    • It creates HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSvrWsc: %windirsystem32svrwsc.exe ensuring infection on system restart
    • It modifies HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon with new value "Explorer.exe rundll32.exe bfky.ojo bwapp" ensuring malicious dll is loaded on system restart

SonicWALL Gateway AntiVirus provides protection against this Oficla Trojan variant with GAV: Oficla.AHB (Trojan) signature. [517,120 hits recorded in last 3 days]

screenshot