Sanny Malware
Trojan | 05/25/2018

Sanny Malware back into the spotlight

About: Sanny, a noxious OS infection targets Windows based OS to steal user sensitive data and exfiltrate the same to the attacker’s command-and-control server. This malicious activity is accomplished using Word Files which contains an embedded mac...  Read More  

| Trojan | Sanny Malware back into the spotlight

What is Sanny Malware?

Sanny is a pesky Trojan infection which severely harms computers with Windows operating system. The Malware makes use of User Account Control (UAC) bypass techniques to infect Windows 10 based OS.

The vicious trojan created by attackers, purportedly hailing from Korea, designed to collect personal information of “English and Russian- language diplomatic victims”. This malicious activity is accomplished using Word Files which contains an embedded macro which, when enabled, triggers an infection chain that ultimately delivers to the Sanny malware payload.

Once operational, the virus would scan and harvest log-ins and passwords for e-mail and social media accounts.

The threat caused by this software infection was first tracked in 2012 by FireEye. Since then the malware is believed to have updated to perform a multistage attack.

How does the updated Sanny Malware work?

In this phishing campaign, the initial attack is via spam email Word Document attachment (written in either English or Cyrillic) to plant the malware in the system. This stage is the same as its predecessor.

The group behind Sanny malware attacks has made significant changes in the way the payload is delivered. The malicious code is now embedded in the macro in the word document which when enabled proliferates the virus in the system. The macro when enabled executes a command and overrides the evidence of the command immediately thereafter.

Stage 1: The initial attack is carried out through embedded macro in the Word document. The macro contains a text box which when activated, executes a certutil.exe command to download an encoded Batch (BAT) file which the macro then decodes into the %TEMP% directory.

Stage 2: The BAT file then downloads a Cabinet (CAB) file which contains the malware, along with other configuration files.

The BAT file will scan the system for antivirus software. If found, the malware will react and alter its installation accordingly. Once installed, the attack stems from these CAB files.

The multistage approach of the malware makes it minacious, because when the infection is nested in several layers it is difficult to devise security solution to oust this vicious virus from the system.

Dangers posed by the malware:

Once infiltrated, the malware hijacks Microsoft Outlook accounts and browser data and steal user sensitive data which includes stored username and passwords. Sanny uses FTP as its means to exfiltrate data from the targeted system to the attacker’s command-and-control server.

Not only this the virus opens backdoors for additional malware and spywares and renders system sluggish.

Necessary precautions to prohibit the entrance of the Infection:

Unsolicited word documents containing macros have been used for a while, and something that every internet user should be trained to be wary of.

Macros by default is disabled in the word document. However, when prompted to enable, be vigilant despite the document being from a trusted source.

In other cases it is strongly recommended to keep the office macros disabled.

Threat Summary

  1. Name: Sanny Malware
  2. Browsers Affected: Google Chrome, Internet Explorer, Mozilla Firefox
  3. Targeted Operating System: Windows
  4. Category: Trojan
  5. Symptoms: The trojan impacts system performance and render it slow, The virus impacts system performance and render it slow, it hijacks browser and restricts other security programs to run, displays many annoying fake security alerts and popup messages

Steps to remove Sanny Tojan from the system

Note: Before we begin, try to remember how the extension got downloaded  on your computer system. Generally, these programs come bundled with free applications that we download off the internet. It is a good practice to locate and uninstall such programs while removing the vicious Trojan.

Step A: Reboot your system to safe mode with networking

To restart the system to Safe Mode with Networking, follow the below steps:

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click  Restart.
  3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
  5. Click on the username and enter the password.

Step B:   Steps to remove Sanny Malware from the Task Manager

  1. Launch the Task Manager Window by pressing Ctrl+ Shift+ Escape simultaneously. (The task manager window may vary depending on the OS ) OR bring the mouse cursor on the Task Bar (which is present at the bottom of the computer screen), right click on the empty space  and click on Task Manager.

                                           Task Manager window for Windows 10

                                             Task Manager window for Windows 7

2 Right Click on the Suspicious File and select Open file Location.

3 In the File Location Screen that appears, Right click on the File and click on Delete, to delete the File permanently from the location.

OR

  1. Open Task Manager window again by following the  steps mentioned above.
  2. Click on the Startup tab.
  3. Select the suspicious entry and click on the Disable button present at the bottom right corner of the window

OR

  1. Open Task Manager window again by following the  steps mentioned above.
  2. Click on Services tab.
  3. Right click on the suspicious entry and click on Stop.

Step C: Remove the malicious trojan from Control Panel

Windows XP

  1. Click on the “Start” button on the bottom left corner of your screen. A Start menu will be displayed as shown below. From this menu select the option that reads “Control Panel”.Windows XP start menu image
  2. In the window that will be displayed, click the option “Switch to classic view”.Control panel switch to classic view
  3. This will display all the options/icons available to you. From the displayed icons, click on the icon that reads “Add or Remove Programs”.Windows XP add or remove a program
  4. Select the “Uninstall a program” option from the “Programs” category. A list will populate on the screen displaying all the programs.Uninstall a malicious program
  5. Select the programs related to Sanny and click on the Uninstall button.Windows XP confirmation window

Windows 7/Vista

  1. Right click on the “Start” button located at the lower left corner of the screen. From the Start menu, click on “Control Panel”.Windows 7 start menu
  2. The “Control Panel” Window will be displayed on the screen. Click on “Uninstall a Program” option from the “Programs” category.Uninstall a program from windows 7
  3. The “Programs and Features” window will be displayed on the screen. A list will populate on the screen displaying all the programs.
  4. Scroll though the list of programs and select the programs related to Sanny  and then click on the “Uninstall” button.uninstall a program in Windows 7

Windows 8/10

  1. Right click on the “Windows logo” on the lower left side of the computer screen. From the drop down menu, select and click on “Control Panel”.Windows 10 start menu
  2. The “Control Panel” window will be displayed. From this window select “Uninstall a program” option form the “Programs” category.Control panel
  3. A list will populate on the screen displaying all the programs.select programs and features option
  4. Select the programs related to Sanny and click on the “Uninstall” button.uninstall a program in windows 8
  5. In the confirmation box, click on the box that reads “OK” to save changes.

Step D: Delete the suspicious file from the Registry Key

  1. Type “Regedit” in search box / Run Box, select it and press Enter.
  2. An authorization dialog box will appear, then you just have to click “Yes”. (The dialog box appearance may vary depending on OS used. For Windows 10 the the dialog box looks like the first screenshot and for windows 7 it appears like the second screenshot)
  3. In the registry editor, take the backup of the current registry settings before making any changes in case you want to revert to old settings later. For this, Click on File option in the menu and select Export. Save the entry at a known location.
  4. From the Menu, Click Edit and Select Find.
  5. Enter Sanny and click OK in the search box.
  6. Select and delete suspicious  enteries.

Tips to prevent your computer system from getting infected –

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Sophos and Bull Guard Internet Security so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

 

Hits: 35

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866