TSPY_URSNIF.TIBAIBM

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy drops the following copies of itself into the affected system and executes them:

• %Application Data%\{string1}{string2}\{string1}{string2}.exe
  where:
  {string1} = first four letters of a dll file under System directory
  {string2} = last four letters of a dll file under System directory

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops and executes the following files:

• %User Temp%\{random folder name}\{random filename}.bat ← used to delete itself; deleted afterwards

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It injects codes into the following process(es):

• explorer.exe

Autostart Technique

This Trojan Spy adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{string1}{string2} = "%Application Data%\{string1}{string2}\{string1}{string2}.exe"

Other System Modifications

This Trojan Spy adds the following registry keys:

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Vars

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Files

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Config

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}\
Run

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
EnableSPDY3_0 = "0"

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
{UID} = "{hex value}"

HKEY_CURRENT_USER\Software\AppDataLow\
Software\Microsoft\{GUID}
{Value Name} = "{data}"
where {Value Name} may be any of the following:

• Main
• Block
• Temp
• Client
• Ini
• Keys
• Scr
• LastTask
• LastConfig
• CrHook
• OpHook
• Exec
• TorClient
• TorCrc
• Install

Dropping Routine

This Trojan Spy drops the following files wherein it saves the information it gathers:

• %User Temp%\{random filename}.bin
• %User Temp%\{random filename}.bin1 → contains the list of computer or network resources

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Information Theft

This Trojan Spy gathers the following data:

• Computer Name
• Digital Certificates
• Cookies
• Keyboard Logs
• Clipboard Logs
• Captured Screenshot
• Email Credentials
• Running processes and services
• Installed device drivers
• Installed Programs
• System Information (Please see notes for more details)
• IP Address

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

• https://{BLOCKED}oma.com/images/{random path}.bmp

Other Details

This Trojan Spy connects to the following website to send and receive information:

• https://{BLOCKED}oma.com/images/{random path}.gif

It does the following:

• Saves stolen information in a file and then uploads it.
• Monitors Internet browsing activities.
• Hooks APIs of target process.
• Disables SPDY protocol in Mozilla Firefox.
• It terminates itself if it runs under a virtual machine or sandbox by checking the following strings against Plug and Play devices:
  • vbox
  • qemu
  • vmware
  • virtual hd
• Executes commands to gather information:
  • systeminfo.exe
  • tasklist.exe /SVC
  • driverquery.exe
  • reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
  • cmd /C "net view >> "%User Temp%\{random filename}.bin1"
  • cmd /C nslookup 127.0.0.1 >>"%User Temp%\{random filename}.bin1" %User Temp%\{random filename}.bin1 & del %User Temp%\{random filename}.bin1"

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

NOTES:

It displays the following message box if it runs on a virtual machine or sandbox:

The file systeminfo.exe returns the following system information:

• Host Name
• OS Name, Version, Manufacturer
• Configuration and Build Type
• Registered Owner and Organization
• Product ID
• Original Install Date
• System Up Time
• System Manufacturer, Model and type
• Processor(s)
• BIOS version
• Windows and System directory
• Boot Device
• System and Input Locale
• Time Zone
• Total and Available Memory
• Virtual Memory information (Max, Available, In Use)
• Page file locations
• Domain
• Logon server
• Hotfix(es)
• Network card(s)