Trojan Masquerading as a resume seen in the wild

August 15, 2014

The Dell SonicWall Threats Research team has received reports of a Trojan masquerading as a resume. This Trojan may arrive in the form of email with a seemingly harmeless PDF attachment. It is even signed with a fake certificate claiming to be issued by Adobe Systems.

Figure 1: Trojan uses the PDF icon

Figure 2: Digital Signature

Infection Cycle:

Upon execution The Trojan creates these files in the following locations:

  • %USERPROFILE%Rar.exe (legitimate compression utility)
  • %USERPROFILE%temporary.rar

It then unpacks the contents of the temporary.rar archive by executing the following command:

  • "%USERSPROFILE%Rar.exe" e "%USERSPROFILE%temporary.rar" -pUjht6yTgrt63 "%USERSPROFILE%"

The archive contents are copied into the following locations:

  • %USERPROFILE%CertMgr.exe(legitimate Microsoft Certificate Manager tool)
  • %USERPROFILE%Sert.cer (a fake certificate)
  • %USERPROFILE%Resume.pdf (a non-malicious pdf file)

The Trojan then installs the fake certificate by executing the following command:

  • "%USERPROFILE%CertMgr.exe" -add -c "%USERPROFILE%sert.cer" -s -r localMachine root"

The Trojan then invokes Acrobat Reader to open the PDF file. It displays a poorly crafted resume written in the Russian language.

Figure 3:A decoy resume written in the Russian language

It then makes the following DNS queries to verify internet connectivity:

Figure 4: Trojan connects to legitimate websites

The Trojan also checked for the presence of the following registry keys to verify if the host is a virtual environment:

Figure 5: Trojan checking for virtual box related registry keys

It also employs the most common technique to thwart analysis using a debugger:

Figure 5: Trojan uses the IsDebuggerPresent function as an anti-debugger technique

During our analysis the Trojan attempted to download additional components.

Figure 5: The trojan downloading a poper.rar from ripola.net

It was also seen sending a simple text message "INSTALL" over TCP port 25.

Figure 5: The Trojan sending an email message to confirm installation

Overall, this Trojan is capable of downloading additional malware into the victim's machine. It can also send sensitive information out to a remote server.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Eratoma.A (Trojan)