Trojan with sophisticated features served through Social Networks

December 6, 2012

Dell SonicWALL Threats Research team discovered a new Trojan spreading through malicious links in Facebook messages. This Trojan is very sophisticated and sports various features such as Anti-debugging code, self modifying code, SEH (Structured Exception Handler) modification, code injection, Spam module, Bitcoin mining module, Facebook messaging module and encrypted C&C communication. We saw various links through which this Trojan was being served. Once these links are clicked, it downloads the Trojan and also often displays an enticing message urging the user to run the executable. One such instance is shown below:

The executable when downloaded is as shown below:

Infection Cycle

  • The Trojan when executed creates a copy of itself in:

    %userprofile%fnph.exe [Detected as GAV: Injector.ZTL (Trojan)]

  • It creates the following registry entry ensuring that it automatically starts on system reboot

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:MSConfig:"%userprofile%fnph.exe"

  • It has self modifying code which creates a custom IAT(Import Address Table) during runtime

  • As seen below it adds a custom exception handling routine to the Structured Exception Handler (SEH) chain in the Thread Environment Block (TEB) of the process. This handling routine contains logic that is triggered during runtime.

The self modifying portion of the code creates an instance of svchost.exe and injects code in to it. The injected code in svchost.exe communicates with a remote C&C server and was also found containing various other interesting modules discussed below:

  • It communicates with a remote server over Port 443 using a custom encryption protocol. We observed it communicating with the following hardcoded remote servers:

    • 185.4.227.76
    • 185.4.227.78
    • 188.165.132.183

  • It also contains a module to send out emails. It does this by querying various public MX servers and attempts to relay emails through them. During a controlled run we observed the following queries being generated (many more were found in memory):

  • We discovered a worm module with the following hardcoded Facebook interfaces in order to spread via chat messages:

  • We saw the following hardcoded bitcoin mining URL's with account information:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV:Injector.ZTL (Trojan)
  • GAV:Buzus.MTFH (Trojan)
  • GAV:Buzus.MTED (Trojan)