Back to SonicALERT
Artemis.A, New InfoStealer in the Wild. (January 26, 2017)
Description
The Sonicwall Threats Research team observed reports of a new InfoStealer
family named GAV: Artemis.A_43 and
actively spreading in the wild.
Artemis
malware gathers confidential information from the computer such as login
details, passwords; financial information sends it to its own C&C
Server.
Infection Cycle:
The Malware adds the following files to the system:
-
%Userprofile%\Local
Settings\Temp\bWJgVKbnTS6wTt4QCOE6hTQ9fb1Sv1yGIXx.exe
-
%Userprofile%\Local Settings\Temp\Trojan.exe
-
%Userprofile%\Local Settings\Temp\Trojan.exe.tmp
The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:
Once the computer is compromised, the malware copies its own Executable
files to Userprofile folder.
The malware goal is to collect as much data as possible; the more details
about the user that end up in the hands of the remote attacker, the bigger
the potential profit.
The malware retrieves a list of running processes and websites visited by
user and send it to its own C&C server by Bas64 format.
The Malware installs key Logger on the target machine and saves data into Trojan.exe.tmp file, here is an example:
The malware gathers data such as following examples:
-
COMPUTERNAME
-
USERNAME
-
Date
-
Windows version
Command and Control (C&C) Traffic
Artemis
performs C&C communication over 1177 port.
The malware sends your Computer information to its own C&C server via
following format, here is an example:
SonicWALL Gateway AntiVirus provides protection against this threat via the
following signature:
Back to top
Back to SonicALERT