The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Venik.RKT actively spreading in the wild.

The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Venik.RKT actively spreading in the wild. This time attacker attackers performs DLL Injection on Service Host or Svchost.exe to avoid detection by Anti-Virus programs. Svchost.exe is a system process that hosts multiple Windows services.

Infection Cycle:

The Malware uses the following icon:

Md5:

• 9ba2036234c6a043d1f55bb018be34ff

The Malware adds the following files to the system:

• Malware.exe

  • C:WINDOWSsystem32ackypw.dll [Detected as GAV: Venik.RKT (Trojan)]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinjHrelpq32

  • %SystemRoot%System32svchost.exe -k krnlsrvc

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinjHrelpq32Parameters

  • C:WINDOWSsystem32ackypw.dll

Once the computer is compromised, the malware copies its own DLL file to System Root folder.

The file ackypw.dll is dropped after malware launches on the target system, the malware uses a DLL Injection to Svchost.exe to avoid detection by Anti-Virus programs. Here is an example:

The malware generates fake traffic towards Baidu Search Engine such as shown below:

Command and Control (C&C) Traffic

Venik.RKT performs C&C communication over 8089 port. The malware sends your system information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Venik.RKT (Trojan)