In the past few weeks, we have seen increasing numbers of infections related to the TROJ_GATAK, especially in the North American region. This malware family is not particularly well known; we discussed it in 2012 in relation with file infectors that were hitting Dutch users.
In checking for its possible causes, we’ve found the malware is currently deployed in the wild as key generators for various applications. They range from expensive, specialized engineering and scientific software, to multimedia editing tools, to benchmarking software, and even to games:
We detect this malware as TROJ_GATAK.FCK. If users download and run this file – in the belief that it is a key generator – it will drop a file under the %AppData% folder (also detected as TROJ_GATAK.FCK) and create a corresponding autostart registry entry.
This dropped file poses as a legitimate file related to Google Talk or Skype; alternately it might use the generic name AdVantage.exe. It drops an encrypted file in a randomly created folder under %Application Data%\Microsoft. This will later be decrypted in memory.
This decrypted file contains shell code and the URLs where to download the payload. Some variants download an image file that contains the encrypted code, with the image looking like this. It appears to be a stock photo from Sri Lanka:
Figure 1. Downloaded image
The payload in this particular attack is fake antivirus software (FAKEAV) that, as is the case with all FAKEAV malware, displays fake virus detection alerts and asks the user to pay in order to successfully clean the machine. This variant is detected as TROJ_FAKEAV.SMWV.
Fake antivirus software has declined significantly from its heyday several years ago (in part due to crackdowns on their payment systems). Since then, it has been overshadowed by first police ransomware and then in more recent months by CryptoLocker. The tips we shared back then remain valid against threats like this if they should be spotted in the wild again.
The Trend Micro™ Smart Protection Network™ protects users from this threat by blocking access to all related malicious URLs and preventing the download and execution of the malicious file.