1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer.Napolar Activity

System Infected: Infostealer.Napolar Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Infostealer.Napolar activity on compromised machine.

Additional Information

When the Trojan is executed, it creates the following directory:
C:\Documents and Settings\All Users\Application Data\SlrPlugins\

The Trojan may create the following files:

C:\Documents and Settings\All Users\Application Data\tor.bin
C:\Documents and Settings\All Users\Application Data\torrc


The Trojan copies itself to the following path so that it runs every time Windows starts:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\lsass.exe

Note: This file is hidden through API hooking

The Trojan may create the following named pipe:
\\.\pipe\napSolar

The Trojan opens a back door, and connects to port 80 on the following domain:
canc3r1nf0rmat10n.pw

The Trojan may steal the following information and send it to the remote server:

User name
Computer name


The Trojan may perform the following actions:

Inject malicious code into new processes to track them and hide itself
Steal confidential information from within a browser
Open a browser and load a web page defined by the attacker
Run a Tor service
Download and execute additional malware


Note: The Trojan is heavily packed and can avoid analysis.

Affected

  • Various Windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube