SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Parcim Trojan steals sensitive system information (March 6, 2014)



Description


The Dell Sonicwall Threats Research team have discovered an info stealer Trojan that is dropped onto unpatched machines as part of a drive-by-attack. The attack uses the CVE-2014-0502 vulnerability which has been covered recently in a previous SonicAlert.

Infection Cycle:

The Trojan adds the following files to the filesystem:

  • %TEMP%\chrome_frame_helper.dll [Detected as GAV: Parcim.A (Trojan)]
  • %TEMP%\chrome_frame_helper.exe
  • %TEMP%\chrome_frame_info.dll
  • %TEMP%\MSMAPI.OCX [Detected as GAV: Parcim.A_2 (Trojan)]
  • %TEMP%\YahooCache.ini
  • %USERPROFILE%\Local Settings\Temp\$NtUninstallKB942388$ (contains stolen system information)

The Trojan adds the following key to the Windows registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run chrome_update "%TEMP%\chrome_frame_helper.exe"

The Trojan makes the following DNS query:

YahooCache.ini contains the following data:

The Trojan downloads an additional malicious file and saves it as MSMAPI.OCX [Detected as GAV: Parcim.A_2 (Trojan)]:

It runs MSMAPI.OCX using the following commandline:

      rundll32 %TEMP%\MSMAPI.OCX,RunProcGoa

The Trojan runs the following commands to gather system information:

      cmd.exe /C ipconfig /all
      cmd.exe /A /C rundll32 %TEMP%\MSMAPI.OCX,RunProcGoA
      cmd.exe /C net start
      cmd.exe /C tasklist
      cmd.exe /C systeminfo
      cmd.exe /C netstat -an
      cmd.exe /C net view
      cmd.exe /C dir "%userprofile%\recent\"

$NtUninstallKB942388$ contains the following data derived from the commands above:

  • Windows IP Configuration
  • Data on configured network adaptors
  • A list of running services
  • Tasklist
  • Output from netstat
  • Number of processors
  • Recently run .lnk files
  • System info (OS version, processors, service pack, physical RAM etc.)

The stolen system information was observed being sent to a remote C&C server:

The Trojan periodically contacts the C&C server to announce its presence. It sends its internal IP address as the value for "&ClientId" and obtains its external IP address from the server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Parcim.A (Trojan)
  • GAV: Parcim.A_2 (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 15.3 | S1MSW05