Installation
This trojan is usually distributed via spam or exploits.
In the wild, we've seen this trojan being downloaded by TrojanDownloader/Upatre.
The threat copies itself to %APPDATA%\local\[random aplha numeric characters].exe (for example: %APPDATA%\local\ogTcCwihjpelfmm.exe).
It makes the following changes to the registry to ensure that it runs each time you start your PC:
In subkey: HKLM\SYSTEM\CurrentControlSet\
Sets value: Services\googleupdate
With data: "%Windows%\[random file name].exe"
In subkey: HKLM\SYSTEM\CurrentControlSet\
Sets value: Services\googleupdate
With data: "Google Update Service"
In subkey: HKCU\Software\Microsoft\
Sets value: Windows\CurrentVersion\Run
With data: "%AppDataLocal%\[random file name].exe"
The trojan tries to connect to the following websites to check if your PC is connected to the internet:
Payload
Steals online banking information
This threat uses the "Man In The Browser" technique to steal online banking user names and passwords.
When you visit an online banking website that the trojan targets, it attempts to steal your banking user names and passwords and send the stolen information to a malicious hacker.
It monitors the following web browsers to intercept banking transactions so it can send your stolen credentials to a malicious hacker:
- Google Chrome
- Internet Explorer
- Mozilla Firefox
- Microsoft Edge
It monitors the following online banking websites:
Steals information
The trojan also collects the following information about your PC and sends it to a malicious hacker:
- Your PC name
- Your user name
- Your operating system
- The 32-character generated key unique to your PC for identification purposes
- Your IP address
The trojan tries to either connect to "icanhazip.com", or connect to one of the following websites to find out what the public IP address is:
- 203.183.172.196:3478
- numb.viagenie.ca
- s1.taraba.nets2.taraba.net
- stun.2talk.co.nz
- stun.callwithus.com
- stun.ekiga.net
- stun.faktortel.com.au
- stun.ideasip.com
- stun.internetcalls.com
- stun.ipshka.com
- stun.iptel.org
- stun.l.google.com:19302
- stun.noc.ams-ix.net
- stun.phonepower.com
- stun.rixtelecom.se
- stun.schlund.de
- stun.sipgate.net
- stun.stunprotocol.org
- stun.voip.aebc.com
- stun.voiparound.com
- stun.voipbuster.com
- stun.voipstunt.com
- stun.voxgratia.org
- stun1.l.google.com:19302
- stun1.voiceeclipse.net
- stun2.l.google.com:19302
- stun3.l.google.com:19302
- stun4.l.google.com:19302
- stunserver.org
Note: The malware uses Session Traversal Utilities for NAT (STUN) to try and get the public IP address. It creates the following encrypted log file to store the information it gathers:
It creates the following encrypted log file in which to store the information it gathers:
%APPDATA%\local\[random aplha numeric characters].exe (for example: %APPDATA%\Local\2ete64.vas)
Connects to a remote server
It connects to a command and control C&C server to receive commands from a malicious hacker and sends information it steals from your PC. We've observed the trojan connecting to the following servers:
- 104.156.231.126:443
- 104.156.231.126:4443
- 104.156.245.247:443
- 104.156.245.247:4443
- 104.156.246.21:443
- 104.156.246.21:4443
- 104.156.250.209:443
- 104.156.250.209:4443
- 104.156.253.131:443
- 104.156.253.131:4443
- 104.207.148.97:443
- 104.207.148.97:4443
- 108.61.174.162:443
- 108.61.174.162:4443
- 108.61.176.87:443
- 108.61.176.87:4443
- 108.61.177.227:443
- 108.61.177.227:4443
|
- 108.61.179.174:443
- 108.61.179.174:4443
- 108.61.183.46:443
- 108.61.183.46:4443
- 108.61.185.116:443
- 108.61.185.116:4443
- 108.61.199.190:443
- 108.61.199.190:4443
- 108.61.199.226:443
- 108.61.199.226:4443
- 108.61.221.27:4443
- 94.23.25.68:443
- 94.23.25.68:4443
- 94.23.30.10:443
- 94.23.30.10:4443
- 94.23.30.29:443
- 94.23.30.29:4443
|
Additional information
The malware tries to hide itself by injecting code into the following processes:
Analysis by Alden Pornasdoro