1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.RapidStealer Activity

System Infected: Trojan.RapidStealer Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Rapidstealer network activity.

Additional Information

The Trojan may arrive packaged with the following VPN applications:

Ultrasurf
GerdooVPN
Psiphon

When the Trojan is executed, it creates the following files:

%UserProfile%\Application Data\IntelRapidStart\DelphiNative.dll
%UserProfile%\Application Data\IntelRapidStart\IntelRS.exe.config
%UserProfile%\Application Data\IntelRapidStart\AppTransferWiz.dll
%UserProfile%\Application Data\IntelRapidStart\IntelRS.exe
%UserProfile%\Application Data\IntelRapidStart\RapidStartTech.stl

The Trojan creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"IntelRap
idStart"=%UserProfile%\Application Data\IntelRapidStart\IntelRS.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IntelRapi
dStart"=%UserProfile%\Application Data\IntelRapidStart\IntelRS.exe

The Trojan may steal the following information from the compromised
computer:

Screenshots
Key logs
Clipboard data
Computer name
User name
Installed applications
IP address
Open ports
Language settings
Process lists
User credentials stored in Chrome, Firefox, Opera, and Internet Explorer Bookmarks stored in Chrome, Firefox, Opera, and Internet Explorer Cookies stored in Chrome, Firefox, Opera, and Internet Explorer Browsing history for Chrome, Firefox, Opera, and Internet Explorer Proxy settings for Chrome, Firefox, Opera, and Internet Explorer User credentials for Gtalk, Pidgin, Skype, and Yahoo Messenger User credentials for Proxifier

The Trojan uploads the stolen information to one of the following
servers:

intel-update.com
ultrasms.ir
account-verify.net
secure.sitanetwork.tk
88.150.227.197
windows.update-mirror.com

The Trojan can download updates of itself from the previously mentioned servers.

Affected

  • Windows

Response

Delete the following files:
%UserProfile%\Application Data\IntelRapidStart\DelphiNative.dll
%UserProfile%\Application Data\IntelRapidStart\IntelRS.exe.config
%UserProfile%\Application Data\IntelRapidStart\AppTransferWiz.dll
%UserProfile%\Application Data\IntelRapidStart\IntelRS.exe
%UserProfile%\Application Data\IntelRapidStart\RapidStartTech.stl

Delete the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"IntelRap
idStart"=%UserProfile%\Application Data\IntelRapidStart\IntelRS.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IntelRapi
dStart"=%UserProfile%\Application Data\IntelRapidStart\IntelRS.exe
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube