Home / malwarePDF  

Infostealer.Nuknuken


First posted on 14 November 2014.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Nuknuken.

Explanation :

The Trojan arrives on the computer through documents that exploit the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).

When the Trojan is executed, it creates the following files: %System%\Com\svchost.exe %SystemDrive%\Documents and Settings\All Users\Application Data\Mozilla\[RANDOM].bin %UserProfile%\Local Settings\ntxobj.exe
Next, the Trojan installs itself as a service by adding the "sys" string to an existing service and deleting the first character in the service's display name. The Trojan chooses the service to mimic at random.

The Trojan then connects to the following remote locations: 131.72.138.180:443systemsvc.netsystem-svc.net
The Trojan may then perform the following actions: Log keystrokes Capture screenshots Gather information entered into web forms Gather login credentials Add or remove firewall rules List running processes Download additional components

Last update 14 November 2014

 

TOP