SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

New variant of Atros InfoStealer actively spreading in the wild. (Mar 24, 2017)


The Sonicwall Threats Research team observed reports of a new variant of Atros InfoStealer actively spreading in the wild.

Atros malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%\Application Data\oougw.exe

  • %Userprofile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

  • %Userprofile%\All Users\Application Data\[ Computer Name ][ Date ].jpg [ Computer Screen Shot ]

The Malware adds the following keys to the Windows registry to ensure that the Trojan runs during startup:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\cd482369-09b5-4f6f-929d-87c40c6be1bc

    • "%Userprofile%\Application Data\oougw.exe"

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware's goal is to collect as much data as possible; attacker's profit based on the level of user information that is collected. Thereby more information collected leads to higher profits.

The malware also performs key logging, takes screen shots, and steals clipboard data from target user.

The Malware installs key Logger on the target machine and extracts passwords from the following web browsers:

  • Chrome

  • Firefox

  • Internet Explorer

  • Opera

  • Safari

The Malware saves data into Browsers.txt file and transfers to its own C&C server.

Command and Control (C&C) Traffic

Atros performs C&C communication over 80 port.

The malware sends your Computer information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Downloader.A_986 (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2021 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 17.3 | S1MSW04