Ransomware/RAT combo searches for solvent businesses

The latest version of the Shade ransomware comes with a stealthy remote access Trojan, likely used to better gauge the amount of money the criminals can demand from the victims.

This variant of the Shade ransomware (also known as Troldesh) was made with specific targets in mind: companies in Russia and the CIS region.

The Trojan searches the list of installed applications and looks for strings associated with bank software

“For the initial check, the updated Trojan searches the list of installed applications and looks for strings associated with bank software. After that the ransomware looks for ‘BUH’, ‘BUGAL’, ‘БУХ’, ‘БУГАЛ’ (accounting) in the names of the computer and its user. If a match is found, the Trojan skips the standard file search and encryption procedure and instead downloads and executes a file from the URL stored in the Trojan’s configuration, and then exits,” Kaspersky Lab researchers have discovered.

The downloaded file is Teamspy, a modified version of the TeamViewer 6 legal remote control utility that doesn’t have a GUI or an icon. It also comes with two plugins: one that covertly installs the TeamViewer VPN driver, and one that installs the RDP Wrapper Library and opens a RDP connection on the computer.

Thus equipped, the infected computer is ready to be spied on.

Among the things Teamspy can do is record audio and video, allow the attackers to remotely access the machine, and to download and execute other malicious files.

That last capability will come in handy if the attackers decide that the target could be forced into paying a considerable ransom.

“The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash,” Kaspersky’s Fedor Sinitsyn noted.

They might ultimately opt for stealing banking credentials and try to syphon as much money as possible from the company account.

Victims of Shade ransomware versions 1 or 2 can try to decrypt encrypted files through the No More Ransom website, set up by the Dutch National Police, Europol, Intel Security and Kaspersky Lab.

More about

Don't miss