Back to SonicALERT
New variant of Atros InfoStealer actively spreading in the wild. (Mar 24, 2017)
Description
The Sonicwall Threats Research team observed reports of a new variant of Atros InfoStealer actively spreading in the wild.
Atros
malware gathers confidential information from the computer such as login
details, passwords; financial information sends it to its own C&C
Server.
Infection Cycle:
The Malware adds the following files to the system:
-
%Userprofile%\Application Data\oougw.exe
-
%Userprofile%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
-
%Userprofile%\All Users\Application Data\[ Computer Name ][ Date
].jpg [ Computer Screen Shot ]
The Malware adds the following keys to the Windows registry to ensure that
the Trojan runs during startup:
Once the computer is compromised, the malware copies its own Executable
files to Userprofile folder.
The malware's goal is to collect as much data as possible; attacker's
profit based on the level of user information that is collected. Thereby
more information collected leads to higher profits.
The malware also performs key logging, takes screen shots, and steals
clipboard data from target user.
The Malware installs key Logger on the target machine and extracts
passwords from the following web browsers:
-
Chrome
-
Firefox
-
Internet Explorer
-
Opera
-
Safari
The Malware saves data into Browsers.txt file and
transfers to its own C&C server.
Command and Control (C&C) Traffic
Atros
performs C&C communication over 80 port.
The malware sends your Computer information to its own C&C server via
following format, here is an example:
SonicWALL Gateway AntiVirus provides protection against this threat via the
following signature:
Back to top
Back to SonicALERT