Onkods social engineering spam campaign continues
The Dell SonicWall research team recently encountered a malicious spam e-mail. The sample contained in the email is another in the line of droppers known by the name Onkods. This malware family's primary role is to gain execution on a victim's machine in order to download and launch the next stage in the attack.
The file attached to the email pretends to be a JPG, with a filename that mimics the filename a digital camera would produce. The real extension of the file is SCR however, so if a user attempts to view it, it will execute and infect their system.
While the URL for the second stage binary is clearly visible in the contents of the binary, the malware does obfuscate the API functions it uses to download and launch the second stage.
The encrypted procedure names within the binary can be seen above.
This listing shows the encrypted procedure names in the context of the malware's execution flow.
After running the obfuscated library names through the malware's decryption routine, the intent of the sample becomes even more clear.
The second stage binary is then downloaded to the file name 78f6d86g4g.exe [Detected by GAV:Phorpiex.B_9 (Worm)], which then proceeds to download further binaries. These additional binaries were seen being executed in our analysis:
- C:UsersAdminAppDataLocalTemp1241547105.exe [Detected by GAV:Injector.BAKZ (Trojan)]
- C:UsersAdminAppDataLocalTemp2561927484.exe [Detected by GAV:Sdbot.JN (Trojan)]
- C:UsersAdminM-2480286949245824winsvc.exe [Detected by GAV:Sdbot.JN (Trojan)]
- C:UsersAdminM-89675864735623587winmgr.exe [Detected by GAV:Phorpiex.B_9 (Worm)]
The malware creates the following mutexes on the system:
The malware communicates with the following hosts:
- a1961.g.akamai.net:80 (18.104.22.168)
- api.wipmania.com:80 (22.214.171.124)
- epiclanka.com:80 (126.96.36.199)
- filebox.su:80 (188.8.131.52)
- spmbox.ru:5050 (184.108.40.206)
- trikbox.ru:5050 (220.127.116.11)
- mx01.gmx.com:25 (18.104.22.168)
Overall the motive of this Trojan is to create additional bots to send spam and propagate further. The SonicWALL research team will continue to monitor this threat.
Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV:Onkods.Y (Trojan)
- GAV:Kryptik.BLMB (Trojan)
- GAV:Injector.BAKZ (Trojan)
- GAV:SDbot.JN (Trojan)
- GAV:Phoripex.B_9 (Worm)