Rango Antivirus FakeAV makes a surge

October 31, 2014

The Dell Sonicwall Threats Research team has observed a huge wave of spam that is spreading FakeAV software called Rango Antivirus 2014. FakeAV software was a big trend 2 years ago but had since died down following a rise of infostealer trojans and ransomware such as Cryptolocker. This FakeAV Trojan arrives as an email with an attachment masquerading as a court notice document.

Infection cycle:

The Trojan adds the following files to the filesystem:

  • %APPDATA%ipcsxnep.exe [Detected as GAV: Zbot.CH_4 (Trojan)]
  • %APPDATA%upoosook.exe [Detected as GAV: Inject.C_2 (Trojan)]

The Trojan adds the following keys to the Windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun rqvobwcf "%APPDATA%ipcsxnep.exe"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun xwpdlhad "%APPDATA%upoosook.exe"

The Trojan runs an instance of svchost.exe and injects malicious code into it. The malicious code causes it to download an encrypted copy of ipcsxnep.exe from a remote webserver:

The following strings where seen in the svchost memory space. Some of this system information is sent encrypted in the initial POST request:

The Trojan then sleeps for a variable period of time. We observed a period of around 10-15 minutes before FakeAV dialogs were shown. The following is a sample of the dialogs that are shown to the user:

As seen in the screenshots, the Trojan uses the usual FakeAV scare tactics to entice the user into paying for the software. The payment page shows 3 license packages:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Zbot.CH_3 (Trojan)
  • GAV: Zbot.CH_4 (Trojan)
  • GAV: Inject.C_2 (Trojan)