Trojan poses as a Fake Microsoft Office update

March 13, 2014

The Dell SonicWall Threats Research team has received reports of a Trojan posing as a Microsoft Office update opportunely timed with Patch Tuesday's release two days ago. The Trojan periodically contacts a remote server and has the ability to download and install further components on the victim machine.

Infection Cycle:

Upon execution the Trojan compares its file name against the following two names that are commonly used by security researchers when naming their malware samples and terminates itself when it finds a match:

Figure 1: Common file names for malware samples

The trojan creates a copy of itself into the following location:

  • %APPDATA%MsOfficeOfficeUpdt.exe [Detected as GAV: FakeOff.MS (Trojan)]

It also creates the following files in the same location:

  • %APPDATA%MsOfficedb
  • %APPDATA%MsOfficedebug.txt (log file)

Figure 2: Sample of information written to this log file

In order to start after reboot the bot adds the following keys to the registry:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [MSOfficeUpdate] "%AppData%MsOfficeOfficeUpdt.exe"

The trojan periodically contacts a remote server and sends encrypted data from the log file:

Figure 3:Trojan connecting to a remote server

Figure 4:Sample of information sent to a remote server

The Trojan appears to be capable of supplementing itself with more functionalities by downloading and installing additional modules based on these strings found in its main executable:

Figure 5: Strings from the binary

But during our analysis, the only communication we received from the remote server had this content:

Figure 6: Sample content of communication received from the remote server

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: FakeOff.MS (Trojan)