Win32/Gatak

Installation

Variants in this malware family can pose as an update to legitimate applications or arrive as part of a key generator application.

For example, we have seen this variants in this family infect a PC in the following manner:

A user downloads and runs the file <product name>_keygen.exe, for example R_Studio_7_5_Build_156292_Network_Edition_keygen.exe. The file is a self-extracting archive that extracts the following two files into the %TEMP% folder and runs them:

• <four numbers>.exe, for example 6597.exe - the actual key generator
• <four numbers>.exe, for example 6118.exe - Trojan:Win32/Gatak.DR

Some variants can install a copy of themsleves as the following:

• %USERPROFILE%\Application Data\advantage\Advantage.EXE
• %USERPROFILE%\Application Data\Skype\Phone\Skype.EXE
• %USERPROFILE%\application data\google talk\googletalk.exe

They can also create the following encrypted configuration file:

• %USERPROFILE%\administrator\application data\microsoft\<random folder name>\<random filename>, for example c:\documents and settings\administrator\application data\microsoft\kqda\cboiat

They can modify the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: "AdVantage"
With data: "%USERPROFILE%\Application Data\advantage\Advantage.EXE"

Sets value: "Skype"
With data: "%USERPROFILE%\application data\skype\phone\skype.exe" /nosplash /minimized"

Sets value: "googletalk"
With data: "%USERPROFILE%\application data\google talk\googletalk.exe /autostart"

Some variants of this malware can inject code into running processes, usually explorer.exe, and then delete itself by running the following command:

• CMD /C SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && SYSTEMINFO && DEL %TEMP%\6118.exe

Payload

Collects system information

Malware in this family collects information about your PC and sends it to a remote server. 

It does this by injecting its code into the following processes:

• explorer.exe
• winlogon.exe
• svchost.exe

We have seen it connect to the following remote servers:

• 62.149.<removed>.33
• 188.72.<removed>.35
• 91.211.<removed>.189

The malware can also download updates for itself to try and avoid detection and removal.

Downloads other malware

Some variants in this family can download a .png file from which it extracts a payload. The following are the two most common URLs we have seen it try to use to download the image file:

• hostthenpost.org/uploads/<image name>
• www.imagesup.net/?di=<image ID>

Steganography techniques are used to hide the payload data in the image file, which, after decryption, gives other URLs for the malware to connect to, including:

• 178.33.<removed>.140
• 5.135.<removed>.16
• 85.234.<removed>.245
• 87.117.<removed>.171
• bpp.<removed>.com
• cam.<removed>.org
• cod.<removed>.com
• deid.<removed>.org
• flake.<removed>.com
• img.philippe-<removed>.com
• minitravel.<removed>.net
• mone.<removed>.com
• parent.<removed>.ca
• reader.<removed>.com
• valter.<removed>.com
• ww.westwoodelementary<removed>.com

Analysis by Marianne Mallen and Mathieu Letourneau