Installation
This malware injects its process into iexplore.exe. It installs its copy to the following locations:
-
%APPDATA%
\Java Security Plugin\javaplugin.exe
-
%APPDATA%
\<five random characters>\<five random characters>.exe, for example %AppData%\slwgk\slwgk.exe
It also creates the following files:
-
<malware path>\strokes.log - encrypted data
-
<malware path>\SecureDll.dll - keylogging component, detected as TrojanSpy:Win32/Dexter!dll
-
<malware path>\tmp.log -encrypted data
Where <malware path> is the folder where the malware was run.
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Sun Java Security Plugin" or <random GUID> for example "3d95381f-d856-4407-8b1a-2cbff825795b"
With data: "%APPDATA%\Java Security Plugin\javaplugin.exe" or "%APPDATA%\<five random characters>\<five random characters>.exe", for example "%APPDATA%\slwgk\slwgk.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Sun Java Security Plugin" or "<random GUID>" for example "3d95381f-d856-4407-8b1a-2cbff825795b"
With data: "%APPDATA%\Java Security Plugin\javaplugin.exe" or "%APPDATA%\<five random characters>\<five random characters>.exe", for example "%APPDATA%\slwgk\slwgk.exe"
In subkey: HKU\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Sun Java Security Plugin" or "<random GUID>" for example "3d95381f-d856-4407-8b1a-2cbff825795b"
With data: "%APPDATA%\Java Security Plugin\javaplugin.exe" or "%APPDATA%\<five random characters>\<five random characters>.exe", for example "%APPDATA%\slwgk\slwgk.exe"
Payload
Steals credit card information
This malware can steal credit card information saved on an infected machine. It injects its code to Internet Explorer by opening a new instance the browser. The injected code can then gather the following information from the infected PC:
- track data (related to scraped credit card data)
- user names and host names
- operating system
- processor type
- list of running processes
- random key to decrypt the data
It sends the stolen information to a remote command and control server via HTTP POST. We have seen it contact the following domains:
-
11e2540739d7fbea1ab8f9aa7a107648.com
-
151.248.115.107
-
193.107.17.126
-
62.76.44.111
-
67b3dba8bc6778101892eb77249db32e.com
-
7186343a80c6fa32811804d23765cda4.com
-
815ad1c058df1b7ba9c0998e2aa8a7b4.com
-
backup-service.in.ua
-
bilimteknoloji.info
-
e7bc2d0fceee1bdfd691a80c783173b4.com
-
e7dce8e4671f8f03a040d08bb08ec07a.com
-
fabcaa97871555b68aa095335975e613.com
The malware can also receive commands from the malicious hacker, including instructions to:
- update itself
- modify the time delay between sending stolen information
- modify the time delay between sending searching memory dump for sensitive data
- uninstall itself
- download and run other applications
Changes your browser settings
This malware can lower your web browser security settings by creating the following registry keys:
In subkey: HKCU\Software\HelperSolutions Software or HKCU\Software\Resilience Software
Sets value: "Digit"
With data: "<random GUID>", for example "16129044-7d76-4870-9cf7-3bf969ae1b0e"
In subkey: HKCU\Software\HelperSolutions Software
Sets value: "val1"
With data: "<malware_path>\strokes.log"
In subkey: HKCU\Software\HelperSolutions Software
Sets value: "val2"
With data: "<malware_path>\tmp.log"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Sets value: "LowRiskFileTypes"
With data: ".exe;.bat;.reg;.vbs;"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1806"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
Sets value: "1806"
With data: "0"
Additional information
This malware
creates the following mutex as an infection marker to prevent more than one copy of the threat running on your PC:
-
"WindowsServiceStabilityMutex"
-
"WindowsResilienceServiceMutex"
Analysis by Marianne Mallen