Security Experts:

Shade Ransomware Updated With Backdoor Capabilities

The latest version of the Shade ransomware is no longer limited to only encrypting user’s files, but it also installs remote access tools on the infected computers, Kaspersky Lab researchers warn.

The updated Trojan can now search a compromised system for a list of installed applications, and looks for strings associated with bank software, Kaspersky’s Fedor Sinitsyn explains. Next, the malware looks for “BUH”, “BUGAL”, “БУХ”, “БУГАЛ” (accounting) in the names of the computer and its user and, if it finds a match, it downloads and executes a file from a URL in its configuration.

In such cases, the Trojan no longer searches for files on the victim’s computer to encrypt them, but only installs the additional malware, after which it exits. This malicious code was found to be a bot known as Teamspy, which abuses the legitimate TeamViewer remote control application for communication with the command and control (C&C) server.

The bot also uses two plugins that are saved in encrypted form, and which are decrypted by the ransomware in the RAM only. These plugins are basically DLLs that are called by the bot’s main module, and which provide the attackers with remote access to the infected machine through the Remote Desktop Protocol (RDP).

The first plugin, namely installvpn.pg, was meant to covertly install the TeamViewer VPN driver, while the second, named rdw.pg, was meant to covertly install the “RDP Wrapper Library” application and to modify the system settings to enable the RDP connection.

Kaspersky researchers noticed that the bot does not connect automatically to the VPN and suggested that its operators might keep this opportunity for some specific cases. The Teamspy executable is an NSIS installer that includes an NSIS-script; Standard NSIS plugins – nsExec.dll, StdUtils.dll, System.dll; the legitimate NirCmd and 7zip utilities, and two images, the second of which has an embedded password-protected 7z archive.

The malware then extracts a series of files to the hidden folder “%APPDATA%\Div,” including the TeamViewer components, the installvpn.pg, rdw.pg, and scankey.pg encrypted bot plugins, and the tv.cfg encrypted bot configuration file.

Next, the installer starts the legitimate executable file of TeamViewer, which loads the malicious library avicap32.dll, which represents the body of the bot. The malware uses DLL hijacking for this operation, and also uses several layers of encryption and obfuscation to complicate analysis, Kaspersky says.

The malicious avicap32.dll modifies the functionality of the TeamViewer process, and also hides the software window and its icon in the notification area. Because the application’s graphic interface (GUI) isn’t visible, the user might not be suspicious of its presence unless they have a look at the list of running processes. The malicious DLL also decrypts and uses the data in the configuration file.

The bot communicates with its C&C server using the HTTP protocol. It informs the server of the infection, and the server responds with a command. The bot also informs the server on the result of the executed command.

Some of the commands supported by the bot include start/stop of audio recording, start/stop of video recording of the screen, download and execute a file from a URL provided by the C&C server, and provide operators with the remote control console. The malware can also receive commands to update the configuration file and some of its fields, to update or delete plugins, control PC power (shutdown, restart), restart the bot’s own process, or self-delete.

 “Essentially the Trojan encryptors pass the initiative to the user (and it’s up to the user to decide whether to pay for their files or not) and the owners take into consideration the average financial solvency of the victim in assigning the ransom sum. The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash,” Sinitsyn concludes.

Related: Ransomware Operators Show Reputable "Customer" Service

Related: Europol Declares War on Ransomware

view counter