- HKLM\software\microsoft\windows\currentversion\run[8ce73491bf190a3fd7028c92bd3331b1] "%TEMP%\chrome.exe"
- HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list [%TEMP%\chrome.exe]
Figure 1: DNS query to hackernople.no-ip.biz
It subsequently then starts to send information such as the current date, the victim's computer name, user name, operating system and IP to a remote server:
Figure 2: Trojan sending personal information to a remote C&C server
We have also noticed the Trojan sending desktop screenshots to a remote server:
Figure 3: Trojan sending screenshots in a JPG format to a remote C&C server
This Trojan is capable of deleting files from a victim's machine. During our analysis, it deleted security tools such as processxp and tcpview.
Figure 4: Trojan sending a confirmation of removal of processes such as procexp.exe and tpcview.exe
It is also capable of downloading additional malicious components. During our analysis, it downloaded a password recovery tool called "WebBrowserPassView" on to the victim's machine and installed it. This tool can be used to reveal passwords stored in the victim's internet browsers.
Figure 5: Packets showing the infected machine receiving an executable
Figure 6: Receiving command to execute and install WebBrowserPassView
This Trojan is capable of deleting data, possibly disrupting services and stealing information and therefore poses a big threat depending on the sensitivity of data stolen from the victim. It makes it even more pervasive as it banks on the popularity of the game it pretends to be and with its capability to download and install more components, victims will likely end up with multiple malware infections in their computer systems.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Barys.RAT (Trojan)
Source : Dell SonicWALL Security Center
Have a good time.
(Be knowledgeable, pass it on then)