TrojanSpy.Win32.GOLROTED.S

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It steals sensitive information such as user names and passwords related to certain games. It logs a user's keystrokes to steal information.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following files:

• %Application Data%/WinMgmt/AuthFWizFwk.exe
• %User Startup%/pcalua.vbs → executed the dropped file AuthFWizFwk.exe
• %User Temp%/Tar{4 random characters}.tmp <- temporary encrypted config file, deleted afterwards

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• cmd.exe /C TASKKILL /F /IM wscript.exe
• cmd.exe /C TASKKILL /F /IM cmd.exe
• "%Windows%\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "%User Temp%\tmp6D31.tmp"
• %Windows%\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• %Application Data%\WinMgmt

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Information Theft

This Trojan Spy steals sensitive information such as user names and passwords related to the following games:

• Minecraft

It gathers the following data:

• Computer name
• Local Date and Time
• Installed Language
• Operating System Platform
• Operating System Version
• Key logs
• Clipboard logs
• Language
• .NET framework Installed
• System Privilege
• Default Browser
• List of installed AV products
• List of installed Firewall
• Internal IP
• External IP

It attempts to steal stored account information used in the following installed File Transfer Protocol (FTP) clients or file manager software:

• FileZilla
• CoreFTP

It attempts to steal stored email credentials from the following:

• Thunderbird
• Eudora
• Internet Account Manager
• MS Outlook
• Outlook Express
• Group Mail Free
• IncrediMail
• Windows Mail
• Windows Live Mail
• Yahoo! Mail
• Gmail
• Facebook

It attempts to get stored information such as user names, passwords, and hostnames from the following browsers:

• Firefox
• SeaMonkey
• YandexBrowser
• Vivaldi
• Chrome
• Chromium
• Opera
• Internet Explorer
• Apple Safari
• Opera

It logs a user's keystrokes to steal information.

Stolen Information

This Trojan Spy sends the data it gathers to the following email addresses via SMTP:

• {BLOCKED}t@spytector.com

Other Details

This Trojan Spy does the following:

• It adds the following Image File Execution Options to prevent certain AV related files from executing:
  
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{AV related file}
  Debugger = "rundll32.exe"
  
  Where {AV related file} can be any of the following:
  
  • rstrui.exe
  • AvastSvc.exe
  • avconfig.exe
  • AvastUI.exe
  • avscan.exe
  • instup.exe
  • mbam.exe
  • mbamgui.exe
  • mbampt.exe
  • mbamscheduler.exe
  • mbamservice.exe
  • hijackthis.exe
  • spybotsd.exe
  • ccuac.exe
  • avcenter.exe
  • avguard.exe
  • avgnt.exe
  • avgui.exe
  • avgcsrvx.exe
  • avgidsagent.exe
  • avgrsx.exe
  • avgwdsvc.exe
  • egui.exe
  • zlclient.exe
  • bdagent.exe
  • keyscrambler.exe
  • avp.exe
  • wireshark.exe
  • ComboFix.exe
  • MSASCui.exe
  • MpCmdRun.exe
  • msseces.exe
  • MsMpEng.exe
• It terminates itself if the following files are present in the system:
  
  • vmtoolsd.exe
  • vbox.exe
  • Windbg.exe
  • SbieDll.dll
• Injects malicious code to the following files:
  
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
• Credentials of the mail that all stolen information are sent:
  Email: {BLOCKED}t@spytector.com
  Password: {BLOCKED}er123@!