We have seen this threat bundled alongside tools used to crack or generate software keys.
For example, we have seen this threat infect a PC in the following manner:
A user downloads and runs the file <product name>_keygen.exe, for example R_Studio_7_5_Build_156292_Network_Edition_keygen.exe. The file is a self-extracting archive that extracts the following two files into the %TEMP% folder and runs them:
-
<four numbers>.exe, for example 6597.exe - the actual key generator
-
<four numbers>.exe, for example 6118.exe - this threat, Trojan:Win32/Gatak.DR
Installation
This threat then injects code into a running process, usually explorer.exe, and then deletes itself by running the following command:
-
CMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL %TEMP%\6118.exe
Payload
Contacts remote host
The code injected in the explorer.exe process communicates with a remote host to report on the infection status and some information about the PC. We have seen it try to contact:
-
62.149.166.33/report_N_<varying hexadecimal data>_<reporting status>
The <reporting status> can be any of these:
-
crc_ok
-
gdiplus_not_ok
-
gdiplus_ok
-
image_not_ok
-
image_ok
-
image_size_not_ok
-
image_size_ok
-
image_type_not_ok
-
image_type_ok
-
mark_not_setted
-
mark_setted
-
page_err
-
page_ok
-
payload_executed
-
payload_file_delete_ok
-
payload_file_name_ok
-
payload_file_run_ok
-
payload_file_wait_ok
-
payload_file_write_ok
-
payload_mem_not_ok
-
payload_mem_ok
-
payload_not_ok
-
payload_ok
-
payload_size_ok
-
payload_type_bad
-
payload_type_exe
-
payload_type_exe_wait_del
-
payload_type_shell
-
watch2_err_1
Downloads other files, including other malware
The injected code also contains hard-coded URLs to image-sharing websites. The threat downloads a .png file from which it extracts a payload. The following are the two most common URLs we have seen it try to use:
-
hostthenpost.org/uploads/<image name>
-
www.imagesup.net/?di=<image ID>
Steganography techniques are used to hide the payload data in the image file, which, after decryption, gives other URLs for the malware to connect to, including:
-
178.33.188.140:80/service/related?sector=009637
-
5.135.233.16:80/file/photos?handle=6890077
-
85.234.158.245:80/company/manufacturer?play=86557
-
87.117.255.171/tutor/inst?promo=459087
-
bpp.bppharma.com/calibre/view?present=0987667
-
cam.jeremyjiao.org:80/company/manufacturer?play=36788
-
cod.chezsimone971.com:80/encourage/help?pointed=855444
-
deid.sharpfans.org/calibre/view?present=0987667
-
flake.snowflakeproductions.com:80/service/related?sector=008643
-
img.philippe-benoit.com/calibre/view?present=0987667
-
minitravel.strangled.net/tutor/inst?promo=459087
-
mone.neenakahlon.com/calibre/view?present=0987667
-
parent.entretienparent.ca:80/service/related?sector=009445
-
reader.lifeacademyinc.com:80/encourage/help?pointed=855444
-
valter.crabdance.com/tutor/inst?promo=459087
-
ww.westwoodelementarycowboys.com:80/company/manufacturer?play=67574
Analysis by Mathieu Letourneau
