Fake Player Leads to Multicomponent GORIADU Attack

Written by: Valerie Ria Rivera

Using rogue software and applications is already an old trick in the malware book. Some malware families such as FAKEAV are best known for using convincing graphical user interfaces (GUI) to trick users. A fake Chinese video player recently gained media attention because of the malicious routines it effectively cloaks. Detected by Trend Micro as TROJ_FKEPLAYR.CH, this Trojan drops several other GORIADU malware that play specific roles in carrying out a complex multicomponent attack.

How does this Web threat arrive on users' systems?

This threat arrives in the form of an executable file that may unknowingly be downloaded by users from malicious websites. The file may also be dropped by other malware.

What happens once the malware get into users' systems?

Upon execution, TROJ_FKEPLAYR.CH drops several files including two malicious .EXE files detected as TROJ_GORIADU.SMZ and TROJ_GORIADU.SMX. TROJ_GORIADU.SMZ functions as the installer of a fake Chinese video player application that users can see. The fake graphical user interface (GUI) effectively hides the Trojan's malicious routines, which TROJ_FKEPLAYR.CH executes using specific parameters to drop two files—ipseccmd.exe and setup{numbers}.exe.

TROJ_FKEPLAYR.CH executes ipseccmd.exe, which is a legitimate Microsoft file used to configure IP Security Policy in order to block communication between the infected machine and certain IP addresses. TROJ_FKEPLAYR.CH also executes setup{numbers}.exe, aka TROJ_GORIADU.DRP, using the parameter /VERYSILENT /NORESTART to install its main malware components.

Once TROJ_GORIADU.DRP has been installed onto a system, it drops several files including malicious .DLL files detected as TROJ_GORIADU.SMC, TROJ_GORIADU.SMW and TROJ_GORIADU.SMY. It also drops a malicious .SYS file detected as TROJ_GORIADU.SMM. As a result, the infected system then exhibits the routines of these dropped files.

Of these dropped files, the most notable ones are TROJ_GORIADU.SMM and TROJ_GORIADU.SMC. TROJ_GORIADU.SMM is capable of blocking communication with certain antivirus-related organizations, while TROJ_GORIADU.SMC connects to URLs via a hidden Internet Explorer window.

Which malware are the key players in this multicomponent attack?

The main malware in this attack is TROJ_FKEPLAYR.CH because it effectively exposes the infected system to other possible malware infections. Another notable malware is TROJ_GORIADU.SMX, which TROJ_FKEPLAYR.CH executes to create TROJ_GORIADU.DRP. This Trojan is responsible for dropping four more malicious files on the system including TROJ_GORIADU.SMM and TROJ_GORIADU.SMC. TROJ_GORIADU.SMW also plays a significant role, in that it can decrypt the encrypted .EXE file used when executing TROJ_GORIADU.SMX to create TROJ_GORIADU.DRP. As such, even if the other dropped files have been removed from the system, TROJ_GORIADU.SMW is still capable of facilitating the creation of TROJ_GORIADU.DRP and repeating the infection process.

How does this threat affect users?

This multicomponent threat primarily affects users by installing several malicious files onto their systems. Doing so not only endangers the infected system, the malicious files also use up its resources, particularly the memory and bandwidth.

More importantly, however, this threat prevents users from accessing specific websites, which are said to be related to cloud antivirus technology. A component of this threat is also capable of connecting to possibly 
malicious URLs.

Are Trend Micro product users protected from this threat?

Yes. Trend Micro™ Smart Protection Network™ protects against this threat by blocking the URLs that the related malware connect to in its attempt to download malicious payloads. The payloads themselves are also detected by Trend Micro as malware and are consequently dealt with using a highly robust malware cleaning technology.

FROM THE FIELD: EXPERT INSIGHTS

“These particular behaviors meant to evade detection (appending of garbage code and blocking access to antivirus sites and related services) are definitely not unheard of but they do highlight the importance of protecting computers at all possible levels, such as the URL and file level.” – Alden Baleva, Threat response engineer

“The techniques used by this malware are interesting but not particularly new, client side polymorphism, (or changing what the malware looks like on the infected machine) has been around for many years to evade strict pattern based detection and no major vendor these days relies on that alone.” – Rik Ferguson, Senior Secuirty Advisor