Redosdru.V Malware that hides in encrypted DLL files to avoid detection by Firewalls

May 11, 2016

The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Redosdru.V actively spreading in the wild. This time attackers used a dropper to download the original Malware that hides in encrypted DLL files to avoid detection by Firewalls.

Infection Cycle:

Md5:

  • 807db66fd414f3eb5e74e10fc4309ae3

The Malware adds the following files to the system:

  • Malware.exe

    • C:Program FilesAppPatchNetsyst96.dll

    • C:Program FilesMicrosoft FduoodFduzjyw.exe

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

    • Wsejti gzuaqwud=C:Program FilesMicrosoft FduoodFduzjyw.exe

Once the computer is compromised, the malware copies its own files to AppPatch folder.

The Malware tries to download encrypted DLL file from its own C&C server from following domain:

Here is an example of encrypted DLL file:

Command and Control (C&C) Traffic

Redosdru.V performs communication over 9925 and 60321 ports. The malware sends your system information to its own C&C server via following format, here is an example:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Redosdru.V (Trojan)