SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Cashandler.A: New variant family of InfoStealer Trojan actively spreading in the wild. (Sep 8, 2017).


The SonicWall Capture Labs Threat Research team has received reports of a new variant family of InfoStealer Trojan [GAV: Cashandler.A] actively spreading in the wild.

Cashandler malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

Infection Cycle:

The Malware adds the following files to the system:

The Trojan adds the following keys to the Windows registry startup:

Once the computer is compromised, the malware copies its own executable file to Temp folder and runs following commands:

The malware's goal is to collect as much data as possible; attacker's profit based on the level of user information that is collected. Thereby more information collected leads to higher profits.

The malware also performs key logging and steals clipboard data from target and saves in following registry key:

During our research we have noticed that hackers used a free yahoo email address account for their malware,we were able to retrieve their credentials as they were hard coded into the malware. Once the credentials were decrypted, we were able to access the hacker email account.

Command and Control (C&C) Traffic

Cashandler performs C&C communication over HTTP protocol.

The malware sends the victim's Computer information to its own C&C server via following format, here is an example:

SonicWall Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cashandler.A (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2019 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 14.6 | S2MSW01