By LoneStar in Malware

Sanny is a malware attack that seems to target certain Russian targets specifically. ESG malware researchers suspect that the Sanny infection is part of a malware attack sponsored by a specific nation or state. Sanny is contained in a malicious Microsoft Word document that uses a well known exploit in order to attack the victim. Basically, Sanny uses a vulnerability in Microsoft Word to drop two files on the victim's computer, two malicious EXE files and two corrupt DLL files. Sanny also drops other components designed specifically to obfuscate its presence and interfere with security software on the victim's computer. PC security researchers have named this attack 'Sanny' because one of the email addresses from which this attack is sent has the user name 'jbaksanny' at the popular Yahoo Web mail service.

One of the aspects of Microsoft Word or Adobe Acrobat Reader exploit attacks is that they give the criminals the ability to deliver a decoy document intended to distract the victim and draw attention away from the underlying malware attack. In the case of Sanny, the decoy document is typed with Cyrillic characters and seems to be designed to attract the attention of Russian computer users. Another part of the Sanny attack that has caught the attention of PC security researchers is the location of its Command and Control server (the remote location from which Sanny receives its instructions and to which Sanny sends stolen data). Sanny's command and control channel is located on a legitimate website, a message board located in Korea with the URL ''. If Sanny cannot establish an Internet connection, Sanny will check the state of the infected computer's connectivity by attempting to connect to a Korean Yahoo Web mail server. While this may seem as if the Sanny infection has been launched by Korean hackers, it is also equally likely that Sanny has been created with the support of another nation (for example, China) in order to make it seems as if Korean criminals are trying to attack Russian targets.

Sanny's Payload

Sanny is designed to steal MS Outlook account data as well as login data and passwords for numerous online services ranging from Web mail accounts and social media to FTP credentials. Sanny will also look for sensitive documents and continually spy on the infected computer's activities. Sanny seems to target malware researchers and computers involved in IT work, government or in the tech industry.


Most Viewed