Redosdru.V Malware that hides in encrypted DLL files to avoid detection by Firewalls
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Redosdru.V actively spreading in the wild. This time attackers used a dropper to download the original Malware that hides in encrypted DLL files to avoid detection by Firewalls.
The Malware adds the following files to the system:
C:Program FilesMicrosoft FduoodFduzjyw.exe
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
Wsejti gzuaqwud=C:Program FilesMicrosoft FduoodFduzjyw.exe
Once the computer is compromised, the malware copies its own files to AppPatch folder.
The Malware tries to download encrypted DLL file from its own C&C server from following domain:
Here is an example of encrypted DLL file:
Command and Control (C&C) Traffic
Redosdru.V performs communication over 9925 and 60321 ports. The malware sends your system information to its own C&C server via following format, here is an example:
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
GAV: Redosdru.V (Trojan)