Analysis by: Carl Maverick Pascual
 Modified by: Noel Anthony Llimos
ALIASES:

Trojan.Win32.DarkTequila.d (Kaspersky); Gen:Variant.Razy.15036 (Bitdefender)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This Trojan Spy arrives as an attachment to email messages mass-mailed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It propagates via shared networks and drops copies of itself into available networks.

It connects to a website to send and receive information.

It logs a user's keystrokes to steal information.

  TECHNICAL DETAILS

File Size: 877,568 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 21 Aug 2018

Arrival Details

This Trojan Spy arrives as an attachment to email messages mass-mailed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following files:

  • %Windows%\Installer\{GUID}\{Random 1 Character}Ico ← Contains the encrypted stolen information
  • %Windows%\csrss.dll

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It terminates itself if it finds the following processes in the affected system's memory:

  • BufferZone
  • GeSWall
  • OllyDbg
  • Process Explorer
  • Process Monitor
  • SafeSpace
  • Sandboxie
  • WinDbg
  • WinPcap

Autostart Technique

This Trojan Spy registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\
services\WindowsClientServerRunTimeSubsystem\Parameters
ServiceDll = %Windows%\csrss.dll

Other System Modifications

This Trojan Spy adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%current%\
­Services\­Tcpip\­Parameters
EnableBpc = 1

HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%lastknowngood%\
­Services\­Tcpip\­Parameters
EnableBpc = 1

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\
services\WindowsClientServerRunTimeSubsystem
DisplayName = Windows Client Server Runtime Subsystem

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\
services\WindowsClientServerRunTimeSubsystem
ImagePath = %SystemRoot%\system32\svchost.exe -k Wcsrss

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\
services\WindowsClientServerRunTimeSubsystem
ObjectName = LocalSystem

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\
services\WindowsClientServerRunTimeSubsystem
Start = 2

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\
services\WindowsClientServerRunTimeSubsystem
Type = 16

Propagation

This Trojan Spy propagates via shared networks and drops copies of itself into available networks.

Backdoor Routine

This Trojan Spy connects to the following websites to send and receive information:

  • http://6{BLOCKED9.144/
  • https://46.1{BLOCKED}.12/we{BLOCKED}ite/
  • https://17{BLOCKED}.34/
  • https://75.1{BLOCKED}.251/

Download Routine

This Trojan Spy saves the files it downloads using the following names:

  • {Available Removable Drive}\­autorun.inf ← Contains the path to the malware executable
  • {Available Removable Drive}\­autorun.exe ← Contains the path to the malware executable

Information Theft

This Trojan Spy gathers the following data:

  • OS Version
  • IP Address
  • CPU ID
  • Username
  • Computer Name

It logs a user's keystrokes to steal information.

Other Details

This Trojan Spy connects to the following URL(s) to check for an Internet connection:

  • http://update.microsoft.com
  • http://facebook.com
  • http://mail.yahoo.com

It does the following:

  • It connects to a specific URL which will display the following:
  • It creates the following service.
    • Service Name: WindowsClientServerRunTimeSubsystem
    • Service Path: %System%\svchost.exe -k Wcsrss
    • Service DLL: %Windows%\csrss.dll
    • Service Description: This service manages client to server coordination in the local system.
  • It steals login credentials related to the following applications:
    • Windows Messenger
    • Internet Explorer
    • Mozilla Firefox
    • FileZilla
    • FlashFXP
    • Windows Live Mail
    • Windows Mail
    • Mozilla Thunderbird
    • Microsoft Outlook
    • Google Chrome

  SOLUTION

Minimum Scan Engine: 9.850
FIRST VSAPI PATTERN FILE: 14.456.07
FIRST VSAPI PATTERN DATE: 21 Aug 2018
VSAPI OPR PATTERN File: 14.457.00
VSAPI OPR PATTERN Date: 22 Aug 2018

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%current%\Services\­Tcpip\­Parameters
    • EnableBpc = 1
  • In HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%lastknowngood%\Services\­Tcpip\­Parameters
    • EnableBpc = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
    • DisplayName = Windows Client Server Runtime Subsystem
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
    • ImagePath = %SystemRoot%\system32\svchost.exe -k Wcsrss
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
    • ObjectName = LocalSystem
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
    • Start = 2
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem
    • Type = 16

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WindowsClientServerRunTimeSubsystem\Parameters
    • ServiceDll = %Windows%\csrss.dll

Step 6

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Windows%\Installer\{GUID}\{Random 1 Character}Ico ← Contains the encrypted stolen information
  • %Windows%\csrss.dll

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_DARKTEQUILA.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.