Analysis of recent Swizzor variant (aka) Stealer:
OverviewTrojan Swizzor variants having detection since early 2004 and it works by downloading and executing malicious files from the Internet on the infected machine. The primary channel of infection for Swizzor family is the internet. And it is known for stealing of personal data. In this case, our researcher monitored a malicious traffic and spotted the Swizzor binary as the downloaded file.
AnalysisWhile monitoring the traffic, we got an alert triggered by suspicious website communication. The suspicious websites are stored in our threat intelligence malicious website list which triggered by our rule.
Our rule picked the communication happened in the following URL:
So we managed to perform incident response activity in the host machine which connects to the malicious URL. We gathered the timeline analysis information from the host machine. During the timeline analysis, we spotted the process puttyupdate459.exe is found in the memory. The sample is taken for malware analysis:
File Hash: d85fa670e482083d83c7cfdea08b65729378b02b2dc31f009350f6385a459809
File Size: 227.5 KB
Figure 1 Compiled using VC++
We are done with the execution of the specimen in the controlled environment and observer its behavior. The malicious process started querying general information on the file system and registry system.
Figure 2 Execution of malware - loaded in memory and starts querying
Figure 3 Thread creation
Figure 4 Thread creation event
Figure 5 puttyupdate459.exe queries the computer name details and it creates a file in Temp location
This is due to the fact there will be a parent file which usually registers the entries for the downloaded malware. We open the .bin file in the temp location and it contains the following details:
Figure 6 A45F.bin file in the temp location
It keeps gets incremented the lines ‘LdrLoadFile’ and also we noticed each time iexplorer.exe loaded in the memory and get terminated. Each time the termination happen the increment of lines in bin file at temp location.
With this analysis, we unable to observe complete behavior. So our incident response team run the redline script and collected the analysis session of the infected machine. During the redline analysis, we found the parent file which contains the above malicious URL:
This malicious URL was used to download the puttyupdate459.exe file. The parent file details are:
Figure 7 Parent file - Ursnif/Swizzor/Password Stealer
The parent file got password stealer, Pws (PSW), Swizzor and Ursnif detection. It is very much clear that our team made better incident response activity and found the file.
Reason for file not detected by AV?
Most of the AV vendors are detecting the parent file (SHA256: 21fc447f95143fd8595d364e526bb726d2e3e52983aebe2c1ae5d49d4e6e96f5) and downloaded file (puttyupdate459.exe). But when we found that the infected network infrastructure didn’t follow many best practices and the AV database where failed in definition update for several weeks. And we also collected their AV logs for log analysis, the AV actually triggered the alert on termination of on-access scan and AV shield processes.
If they followed the best practices and proper monitoring facility, this infection could be avoided.
Research and post were done by