Installation
Win32/Caphaw often uses a legitimate file name to avoid suspicion. It scans the <system folder> folder for legitimate file names, then copies itself into the %APPDATA% folder using the same name. For example, the file name for Task Manager is <system folder>\taskmgr.exe. Caphaw might copy itself into your PC as %APPDATA%\taskmgr.exe.
Caphaw can also use these file names:
- <system folder>\lssas.exe - note that a legitimate file called lsass.exe exists in the same folder
- %windir%\assembly\nativeimages_v2.0.50727_32\temp\zapf.tmp\system.data.entity.design.dll
- %windir%\svchost.exe - note that a legitimate file with the same name exists in <system folder>
Caphaw injects itself into legitimate processes like the following to make it more difficult to remove:
- cmd.exe
- explorer.exe
- firefox.exe
- iexplore.exe
- reader_sl.exe
- svchost.exe
Caphaw creates mutexes to make sure that only one instance of itself is running in memory.
To run every time Windows starts, some variants of Caphaw create an entry in the system registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random CLSID>" (for example, {FAD5ADC3-DABB-6BFF-ED11-CB329C7D70E2})
With data: "<malware path and file name>" (for example "%APPDATA%\Microsoft\Excel\xlstart\winmine.exe")
Older variants of Caphaw also install a rootkit component. An infected master boot record (MBR) is detected as Trojan:DOS/Caphaw.A.
Spreads via...
Skype
One Caphaw variant, Win32/Caphaw.N, can do a number of actions on Skype, including:
- Disabling audio alerts
- Downloading files from a remote server
- Sending messages and files to your contacts; this file is usually another Caphaw copy
- Removing traces of its actions on Skype, like file transfers and recent conversations
Facebook
Caphaw can spread by hijacking your Facebook account and posting a copy of itself into your friends' walls. The post might look like this:
Shared and removable drives
Caphaw can spread to other PCs via shared and removable drives. It creates shortcut files that link to a hidden Caphaw copy in the root folder of the shared or removable drive. If you click on the shortcut file, the Caphaw copy runs.
Drive-by malware
Caphaw can be installed via drive-by exploits. It's been known to be installed using vulnerabilities in Adobe Flash or Java.
Payload
Lets a malicious hacker control your PC
Caphaw lets a malicious hacker access and control your PC. The actions we've observed include:
- Control your desktop
- Control your mouse and keyboard
- Access your files and folders
- Upload your files to a hacker-controlled FTP server
- Delete files
- Download and run other files
- Redirect Internet traffic via a proxy server
- Send ICMP packets that can be used in distributed denial-of-service (DDoS) attacks
- Log and redirect web traffic from Firefox and Internet Explorer
- Shut down or restart your PC
- Spread to other PCs upon command
- Log keystrokes
- Change your PC settings
- Start or stop programs
- Update itself
Steals banking information
Caphaw can inject code and fake phone numbers into online banking websites when you visit them. It does this to try and steal your login information for these websites. It targets the online banking websites for these institutions:
- Barclays
- Bank of Scotland
- Co-Operative Bank
- Egg.Com
- Fidelity
- First Direct
- HSBC
- InterActive Brokers
- John Lewis Financial
- Leicester
- Lloyds Bank
- MBNA
- NatWest
- POFS Save Credit
- RBS
- Santander
- Tesco Finance
- Theaa
- Ulster Bank
- VirginMoney
- YorkShire Bank
Analysis by Edgardo Diaz and Jody Koo
