TrojanDownloader:Win32/Ogimant.gen!C

Installation

This threat might install itself with the name Xpom.

It might create shortcut files on the desktop with these names:

• Search the Internet.lnk or ПоисквИнтернет.lnk
• Classmates.lnk or Одноклассники.lnk
• Log on the Internet.lnk or Вход в Интернет.lnk
• Amigo.lnk or Друг.lnk

It might also drop and run other files in the %TEMP% folder, for example:

• cookie - related to keyword search tracking
• downloader_tmp - detected as TrojanDownloader:Win32/Ogimant.A
• ie.reg
• mailruupdater.exe
• mini_installer_inet.exe
• runprog.exe
• setup.exe

TrojanDownloader:Win32/Ogimant.gen!C connects to a certain URL to download its configuration file. We have seen it connect to:

• <domain>/get_json?stb=<num>&did=<num>&ext_partner_id=&file_id=<num>
• <domain>/get_json?stb=<num>&did=<num>&file_id=<num>

We have seen the following domains used by this threat:

• forces.2015-electroes.ru
• forces.agen-stroy.ru
• forces.all-onlinestar.ru
• forces.best-goldcold.ru
• forces.clubleads.ru
• forces.cofiles.ru
• forces.date-fox.ru
• forces.donsilverlite.ru
• forces.drive-floppy.ru
• forces.electroesmir.ru
• forces.electroes-mir.ru
• forces.electroesnews.ru
• forces.electroes-news.ru
• forces.electro-news.ru
• forces.erobomir.ru
• forces.etofiles.ru
• forces.eurosilverlite.ru
• forces.express-electro.ru
• forces.expresselectroes.ru
• forces.express-electroes.ru
• forces.fantorrentblade.ru
• forces.fast-mir.ru
• forces.files2016.ru
• forces.files-2016.ru
• forces.filescompany.ru
• forces.filesexpert.ru
• forces.fileskafe.ru
• forces.flashking-land.ru
• forces.flashkingssell.ru
• forces.floppy-shop.ru
• forces.floppy-stroy.ru
• forces.fox-date.ru
• forces.futurefiles.ru
• forces.get-minds.ru
• forces.gorupload.ru
• forces.hosting-sell.ru
• forces.hotelectro.ru
• forces.i-minds.ru
• forces.inimanforum.ru
• forces.intuploads.ru
• forces.klax-24.ru
• forces.klaxshop.ru
• forces.klax-shop.ru
• forces.kupileads.ru
• forces.kupiskylinks.ru
• forces.lastupload.ru
• forces.loadbox-stroy.ru
• forces.loadfilesbox.ru
• forces.loadinggroup.ru
• forces.loadingrus.ru
• forces.luxuploads.ru
• forces.magazinmind.ru
• forces.max-klax.ru
• forces.maxsummer.ru
• forces.miessearch.ru
• forces.mindbusiness.ru
• forces.mind-business.ru
• forces.mind-corp.ru
• forces.mindmagazine.ru
• forces.mind-magazine.ru
• forces.mindsbusiness.ru
• forces.minds-business.ru
• forces.mindscorp.ru
• forces.minds-corp.ru
• forces.minds-tour.ru
• forces.mobilesummer.ru
• forces.moimains.ru
• forces.my-minds.ru
• forces.nashi-hosting.ru
• forces.nashy-minds.ru
• forces.newzetec.ru
• forces.onlineleads.ru
• forces.onlymies.ru
• forces.onlymind.ru
• forces.only-mind.ru
• forces.onlyminds.ru
• forces.proappstoreinfo.ru
• forces.pro-appstore-market.ru
• forces.pro-leads-stroy.ru
• forces.promind24.ru
• forces.pro-mind-group.ru
• forces.pro-mind-shop.ru
• forces.prosad24.ru
• forces.prosadonline.ru
• forces.shop-leads.ru
• forces.shoprain.ru
• forces.silverlitecafe.ru
• forces.silverlitedirect.ru
• forces.silverlitesunion.ru
• forces.sitemind.ru
• forces.spb-minds.ru
• forces.sunshineblog.ru
• forces.sunshinehouse.ru
• forces.sunshine-land.ru
• forces.sunshine-life.ru
• forces.sunshine-trade.ru
• forces.super-files.ru
• forces.super-minds.ru
• forces.terrycentr.ru
• forces.terry-centr.ru
• forces.thepromonixes.ru
• forces.upfile-group.ru
• forces.upfileshop.ru
• forces.upfilestroy.ru
• forces.upfile-torg.ru
• forces.upfile-trade.ru
• forces.upload-market.ru
• forces.uploadsmarket.ru
• forces.uploads-market.ru
• forces.vashfast.ru
• forces.vashmind.ru
• forces.vash-mind.ru
• forces.vashminds.ru
• forces.vash-minds.ru
• forces.vashtrafiks.ru
• forces.vash-trafiks.ru
• forces.vipitmyfile.ru
• forces.vip-upfile.ru
• forces.vminds.ru
• forces.vseelectroes.ru
• forces.wiremy.ru
• forces.yourloadfileinfo.ru
• forces.yourloadfilemarket.ru
• forces.yourloadfile-market.ru
• forces.zonamind.ru

The configuration file is encrypted and contains the links to download files as well as instructions for the threat to collect information about your PC.

When a configuration file is inaccessible, the following message is displayed and the threat terminates:

Distributed via...

Downloads from web sites

You might inadvertently download this file if you're looking for a program that helps you download items, such as pictures or movies, from websites. It is usually downloaded for peer-to-peer or torrent download websites.

We've seen the following websites making this threat available for download:

• 5floor.by
• ecosm.by
• fotostar.by
• krovlja.by
• megaimport.by
• nzga.by
• ofis.by
• otr.by
• royalcity.by

It can also be downloaded from these IP addresses:

• 93.125.99.15
• 93.125.99.16
• 93.125.99.17
• 93.125.99.35
• 93.125.99.38

Note that both of these lists are not exhaustive.

Payload

Downloads other files

TrojanDownloader:Win32/Ogimant.gen!C downloads files based on a configuration file that it gets from a remote server. We've seen some of these configuration files being hosted on:

• dwmldr.ru
• horses.super-goldcolds.ru

It displays an installer such as the following: 

Once the installer begins you won't have any control of the files being downloaded. If the interface is closed the files continue to download in the background.

Collects information about your PC

This threat gathers information about your PC and sends it to a malicious hacker.

We have seen the following information collected:

• Antimalware software installed
• Browsers installed
• File system information (for example, if it is a C:\ NTFS type)
• Machine GUID
• OS Installed

It also checks for the following registry entries:

• HKEY_CURRENT_USER\SOFTWARE\BrowSecEx
• HKEY_CURRENT_USER\Software\ESET\ESET Security\CurrentVersion\Client
• HKEY_CURRENT_USER\Software\IScreeny
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\sstins
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\stuffs
• HKEY_CURRENT_USER\Software\NetBox\KometaInstaller\Channel
• HKEY_CURRENT_USER\Software\NetBox\shortcutmaker\MirohodCommandLine
• HKEY_CURRENT_USER\Software\NetBox\shortcutmaker\PirateCodeCommandLine
• HKEY_CURRENT_USER\Software\NetBox\shortcutmaker\RulesWarCommandLine
• HKEY_CURRENT_USER\Software\Opera Software\nb_lifetime
• HKEY_CURRENT_USER\Software\Screentool
• HKEY_CURRENT_USER\Software\Screeny
• HKEY_CURRENT_USER\Software\Start Page\Start Page
• HKEY_CURRENT_USER\Software\sst
• HKEY_CURRENT_USER\Software\sst\install
• HKEY_CURRENT_USER\Software\storegid
• HKEY_CURRENT_USER\Software\storegid\v
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{1E7BF9CC-46B3-43D8-98A1-E46C7A9D6ABC}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{28480FF5-A347-4C02-BEBD-FB8E306A49B0}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{5F28D045-2F8D-4B16-B2D5-ACDF51541678}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{97B0D308-BA80-4B67-811F-6BCA1CD2C5F4}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{F0846F08-C70E-4C3D-B3F4-B8D5B6C9D04C}
• HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info

This threat also check for the following files: 

• %APPDATA%\etranslator
• %APPDATA%\nsmls
• %APPDATA%\nsmls\manifest.json
• %APPDATA%\smw_inst
• %APPDATA%\smwdg
• %APPDATA%\smwdgt
• %APPDATA%\smwdgt\manifest.jso
• %APPDATA%\smwdgt\manifest.json
• %LOCALAPPDATA%\screentk
• %LOCALAPPDATA%\storegid
• %ProgramFiles%\AVAST Software\Avast\avastUI.ex
• %ProgramFiles%\AVAST Software\Avast\avastUI.exe
• %ProgramFiles%\ESET\ESET NOD32 Antivirus\egui.exe
• %ProgramFiles%\NosClient\nosclient.exe
• %ProgramFiles%\click-n-mark
• %ProgramFiles%\tooldev342\Weatherbar
• %ProgramFiles%\tooldev342\Weatherbar
• %USERPROFILE%\Local Settings\Application Data\screentk
• %USERPROFILE%\Local Settings\Application Data\storegid 

We have also seen it check for the following folders:

• %APPDATA%\\etranslator
• %APPDATA%\\extension
• %APPDATA%\\smw_inst
• %LOCALAPPDATA%\\extension
• %ProgramFiles%\\click-n-mark
• %ProgramFiles%\\tooldev342\\Weatherbar

The gathered information is sent back to a remote server via HTTP POST. The server then replies back with an encrypted data, which contains the URL links of all the unwanted apps that will be additionally downloaded to your PC without your consent.

Changes browser home page

TrojanDownloader:Win32/Ogimant.gen!C might change your browser start page. We have seen it changing it to http://mail.ru, although the URL may change, depending on what file or program it tries to download.

Other information

This threat uses a certificate issued to RU, Moscow, Moscow, LLC Mail.Ru, LLC Mail.Ru. This certificate might be false to make the threat look legitimate.

The social engineering techniques it uses are similar to those used by the Win32/Pameseg family as discussed in the MMPC blog post Fake apps: Behind the effective social strategy of fraudulent paid-archives.

Additional information

For more information on this threat, see the following:

• CSIS blog - Digitally signed malware 2013
• Sysmagazine - The new trojan with the valid sign-code signature of LLC Mail.Ru masked under updates of popular programs

Analysis by Ric Robielos