Tepfer Infostealer Trojan being actively spammed

November 16, 2012

Dell SonicWALL Threats Research team captured multiple spam campaigns serving newer variant of Tepfer Infostealer Trojan. The malware arrives in an e-mail attachment using themes shown below:

screenshot

The malware executable inside the zip attachment uses Adobe PDF file icon and also uses official Microsoft Window's application metadata to disguise itself as seen below:

screenshot screenshot

Infection Cycle

The malware executable will perform following activities, if the user is tricked into opening the file:

  • It looks for configuration files (.ini,.dat,.xml etc) of multiple applications to steal FTP and E-mail server information and user credentials:

    screenshot

  • It contains a list of common passwords which is compressed inside the binary file using aPLib v1.01 compression library. The decompressed list is shown below:

    screenshot

  • It attempts to connect to a list of predetermined servers to send the stolen information via HTTP request: /POST /forum/viewtopic.php:
    • 3.soundfactor.org
    • 3.ussana.net
  • It further downloads and executes a new variant of P2P Zeus binary from multiple remote servers listed below. It appears to be exploiting the Pay-Per-Install scheme by downloading and installing multiple instances of same Zeus payload from different servers on the victim machine:
    • mjorart.com/{REMOVED}.exe
    • bestinsighttours.com/{REMOVED}.exe
    • rdquark.com/{REMOVED}.exe
    • quranaqiq.com/{REMOVED}.exe
    • westquimica.com/{REMOVED}.exe
    • superelectronico.com/{REMOVED}.exe
    • jagatoko.com/{REMOVED}.exe
    • muzikmeno.com/{REMOVED}.exe
    • eds-kurier.de/{REMOVED}.exe

      • The downloaded Zeus payload is detected as GAV: Zbot.AAN_65 (Trojan).

  • The Infostealer variants seen across different spam campaigns in last two weeks appears to be from the same author as seen by the project name extracted from the binary:

    screenshot

Dell SonicWALL Gateway AntiVirus has blocked close to 1 million instances of these spammed Infostealer variants in past one week. Below is the geographic distribution of this Infostealer spam campaign:

screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Tepfer.BVXJ (Trojan)

  • GAV: Tepfer.CAVW (Trojan)