Parcim Trojan steals sensitive system information

March 6, 2014

The Dell Sonicwall Threats Research team have discovered an info stealer Trojan that is dropped onto unpatched machines as part of a drive-by-attack. The attack uses the CVE-2014-0502 vulnerability which has been covered recently in a previous SonicAlert.

Infection Cycle:

The Trojan adds the following files to the filesystem:

  • %TEMP%chrome_frame_helper.dll [Detected as GAV: Parcim.A (Trojan)]
  • %TEMP%chrome_frame_helper.exe
  • %TEMP%chrome_frame_info.dll
  • %TEMP%MSMAPI.OCX [Detected as GAV: Parcim.A_2 (Trojan)]
  • %TEMP%YahooCache.ini
  • %USERPROFILE%Local SettingsTemp$NtUninstallKB942388$ (contains stolen system information)

The Trojan adds the following key to the Windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun chrome_update "%TEMP%chrome_frame_helper.exe"

The Trojan makes the following DNS query:

YahooCache.ini contains the following data:

The Trojan downloads an additional malicious file and saves it as MSMAPI.OCX [Detected as GAV: Parcim.A_2 (Trojan)]:

It runs MSMAPI.OCX using the following commandline:

      rundll32 %TEMP%MSMAPI.OCX,RunProcGoa

The Trojan runs the following commands to gather system information:

      cmd.exe /C ipconfig /all
      cmd.exe /A /C rundll32 %TEMP%MSMAPI.OCX,RunProcGoA
      cmd.exe /C net start
      cmd.exe /C tasklist
      cmd.exe /C systeminfo
      cmd.exe /C netstat -an
      cmd.exe /C net view
      cmd.exe /C dir "%userprofile%recent"

$NtUninstallKB942388$ contains the following data derived from the commands above:

  • Windows IP Configuration
  • Data on configured network adaptors
  • A list of running services
  • Tasklist
  • Output from netstat
  • Number of processors
  • Recently run .lnk files
  • System info (OS version, processors, service pack, physical RAM etc.)

The stolen system information was observed being sent to a remote C&C server:

The Trojan periodically contacts the C&C server to announce its presence. It sends its internal IP address as the value for "&ClientId" and obtains its external IP address from the server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Parcim.A (Trojan)
  • GAV: Parcim.A_2 (Trojan)