Kuluoz: a trojan that spreads through email

UNAM-CERT received a report about a possible malicious file. Even though the icon of the file seemed to belong to a word document, it was an executable. This trick is done by malware writers to deceive the users and make them execute the malware without noticing. An example of the icon can be shown on the image below:

The file arrives as an attachment on emails that are either sent by another malicious code, previously installed on the system, or sent as spam by an infected email account.

When  Label_Copy_USPS.exe  is executed,  it replicates itself on another location with a different name. It also creates a text file with the same name as the executable: Label_Copy_USPS.txt.

The trojan also injects code to the “svchost.exe” process; meaning it creates a copy of itself with a random name.

With a tool called TCPView we were able to detect the IP address that the sample tried to use to connect to the Internet, using port 84.

xxx.xxx.247.182:84, xxx.xxx.28.156, xxx.xxx.95.133:84, xxx.xxx.47.109, xxx.xxx.78.241:84, xxx.xxx.225.182, xxx.xxx.240.152, xxx.xxx.66.34:84

After checking these IP addresses on tcpiputils.com/dns-blackhole-list, we discovered that four of them were flagged as malicious on different black lists.

Internet access was given to the sample to observe its behavior. While the file was active, some files were added to the computer and the processes related to the Trojan created “xml” files that contained information about the computer, such as the registry keys (which are important for Windows configuration).

On the analysis obtained from Virus Total, which can be found here, the sample’s signature is “560bf3200af70c4bf9889b545fe386a5” and was only detected as malicious by 29 out of 36 antivirus engines. This means that, at the time of the analysis, there were users unprotected against this threat.

Summary:

This file is a trojan that tries to connect the infected computer to a remote server. It receives instructions to perform actions such as downloading and executing malware on the victim's computer.

Recommendations:

Users must be careful when opening emails from unknown sources and should avoid downloading their content.

If the email was sent from a known contact, it is best to ask about the content of the message, due to the fact that he/she could have been infected.

Remember that it is very important to keep the operating system and the antivirus updated so that it can detect malicious files on time.