SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Artemis.A, New InfoStealer in the Wild. (January 26, 2017)



Description


The Sonicwall Threats Research team observed reports of a new InfoStealer family named GAV: Artemis.A_43 and actively spreading in the wild.

Artemis malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%\Local Settings\Temp\bWJgVKbnTS6wTt4QCOE6hTQ9fb1Sv1yGIXx.exe

    • Detected as GAV: Artemis.A_43 (Trojan)

  • %Userprofile%\Local Settings\Temp\Trojan.exe

    • Detected as GAV: Artemis.A_43 (Trojan)

  • %Userprofile%\Local Settings\Temp\Trojan.exe.tmp

    • Trojan.exe.tmp [Key logs data ]

The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2

    • "%Userprofile%\Local Settings\Temp\Trojan.exe" ..

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2

    • "%Userprofile%\Local Settings\Temp\Trojan.exe" ..

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.

The malware retrieves a list of running processes and websites visited by user and send it to its own C&C server by Bas64 format.

The Malware installs key Logger on the target machine and saves data into Trojan.exe.tmp file, here is an example:

The malware gathers data such as following examples:

  • COMPUTERNAME

  • USERNAME

  • Date

  • Windows version

Command and Control (C&C) Traffic

Artemis performs C&C communication over 1177 port.

The malware sends your Computer information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Artemis.A_43 (Trojan)




Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.3 | S2MSW06