Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Shade Ransomware Updated With Backdoor Capabilities

The latest version of the Shade ransomware is no longer limited to only encrypting user’s files, but it also installs remote access tools on the infected computers, Kaspersky Lab researchers warn.

The latest version of the Shade ransomware is no longer limited to only encrypting user’s files, but it also installs remote access tools on the infected computers, Kaspersky Lab researchers warn.

The updated Trojan can now search a compromised system for a list of installed applications, and looks for strings associated with bank software, Kaspersky’s Fedor Sinitsyn explains. Next, the malware looks for “BUH”, “BUGAL”, “БУХ”, “БУГАЛ” (accounting) in the names of the computer and its user and, if it finds a match, it downloads and executes a file from a URL in its configuration.

In such cases, the Trojan no longer searches for files on the victim’s computer to encrypt them, but only installs the additional malware, after which it exits. This malicious code was found to be a bot known as Teamspy, which abuses the legitimate TeamViewer remote control application for communication with the command and control (C&C) server.

The bot also uses two plugins that are saved in encrypted form, and which are decrypted by the ransomware in the RAM only. These plugins are basically DLLs that are called by the bot’s main module, and which provide the attackers with remote access to the infected machine through the Remote Desktop Protocol (RDP).

The first plugin, namely, was meant to covertly install the TeamViewer VPN driver, while the second, named, was meant to covertly install the “RDP Wrapper Library” application and to modify the system settings to enable the RDP connection.

Kaspersky researchers noticed that the bot does not connect automatically to the VPN and suggested that its operators might keep this opportunity for some specific cases. The Teamspy executable is an NSIS installer that includes an NSIS-script; Standard NSIS plugins – nsExec.dll, StdUtils.dll, System.dll; the legitimate NirCmd and 7zip utilities, and two images, the second of which has an embedded password-protected 7z archive.

The malware then extracts a series of files to the hidden folder “%APPDATA%Div,” including the TeamViewer components, the,, and encrypted bot plugins, and the tv.cfg encrypted bot configuration file.

Next, the installer starts the legitimate executable file of TeamViewer, which loads the malicious library avicap32.dll, which represents the body of the bot. The malware uses DLL hijacking for this operation, and also uses several layers of encryption and obfuscation to complicate analysis, Kaspersky says.

The malicious avicap32.dll modifies the functionality of the TeamViewer process, and also hides the software window and its icon in the notification area. Because the application’s graphic interface (GUI) isn’t visible, the user might not be suspicious of its presence unless they have a look at the list of running processes. The malicious DLL also decrypts and uses the data in the configuration file.

The bot communicates with its C&C server using the HTTP protocol. It informs the server of the infection, and the server responds with a command. The bot also informs the server on the result of the executed command.

Some of the commands supported by the bot include start/stop of audio recording, start/stop of video recording of the screen, download and execute a file from a URL provided by the C&C server, and provide operators with the remote control console. The malware can also receive commands to update the configuration file and some of its fields, to update or delete plugins, control PC power (shutdown, restart), restart the bot’s own process, or self-delete.

 “Essentially the Trojan encryptors pass the initiative to the user (and it’s up to the user to decide whether to pay for their files or not) and the owners take into consideration the average financial solvency of the victim in assigning the ransom sum. The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash,” Sinitsyn concludes.

Related: Ransomware Operators Show Reputable “Customer” Service

Related: Europol Declares War on Ransomware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.