Yet another Delphi Infostealer Trojan
The Dell SonicWALL Threats Research team has discovered a new Delphi based information stealing Trojan. All the dropper samples of this family and the dropped components are Delphi files. The main goal for this multi-component malware is to steal confidential information from the victim computer.
Below is a sample of the DNS queries that the Trojan performed during analysis:
Upon execution, the dropper downloads the secondary component in an encrypted form and saves it as:
- %SYSTEM32%adodbupd.dat [Detected as GAV: EncAgent.HPE (Trojan)]
The dropper and all the subsequent downloaded files contain obfuscated API names to make analysis difficult for researchers. We were able to locate the decryption routine which revealed the calls during runtime. This is very similar to the Chinese bot we had posted a SonicALERT before which indicates possible connections between the authors of the two malware.
The dropper decrypts a portion of the downloaded file in memory. It then creates an explorer.exe process in suspended mode, injects the decrypted file into the suspended explorer.exe process and runs it.
The hijacked explorer process further creates two DLL files:
It creates two different restart mechanisms for each of these. IUNSYw32.dll is registered as a winlogon notification package which looks after the logon and startup events:
IUNSKw32.dll is registered as a ServiceDll for svchost based service with name "Intel(R) Management Services".
Once this service is started it downloads another encrypted file vdocert130327.dat and saves it as:
- %SYSTEM32%itusbcore.dat [Detected as GAV: EncAgent.HPE_2 (Trojan)]
The downloaded file is then decrypted in memory and injected into a new svchost.exe process. This final process now acts as an information stealer.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:
- GAV: Agent.HPE (Trojan)
- GAV: Agent.HPE_2 (Trojan)
- GAV: EncAgent.HPE (Trojan)
- GAV: EncAgent.HPE_2 (Trojan)