Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Shade Ransomware Updated With Backdoor Capabilities

The latest version of the Shade ransomware is no longer limited to only encrypting user’s files, but it also installs remote access tools on the infected computers, Kaspersky Lab researchers warn.

The latest version of the Shade ransomware is no longer limited to only encrypting user’s files, but it also installs remote access tools on the infected computers, Kaspersky Lab researchers warn.

The updated Trojan can now search a compromised system for a list of installed applications, and looks for strings associated with bank software, Kaspersky’s Fedor Sinitsyn explains. Next, the malware looks for “BUH”, “BUGAL”, “БУХ”, “БУГАЛ” (accounting) in the names of the computer and its user and, if it finds a match, it downloads and executes a file from a URL in its configuration.

In such cases, the Trojan no longer searches for files on the victim’s computer to encrypt them, but only installs the additional malware, after which it exits. This malicious code was found to be a bot known as Teamspy, which abuses the legitimate TeamViewer remote control application for communication with the command and control (C&C) server.

The bot also uses two plugins that are saved in encrypted form, and which are decrypted by the ransomware in the RAM only. These plugins are basically DLLs that are called by the bot’s main module, and which provide the attackers with remote access to the infected machine through the Remote Desktop Protocol (RDP).

The first plugin, namely installvpn.pg, was meant to covertly install the TeamViewer VPN driver, while the second, named rdw.pg, was meant to covertly install the “RDP Wrapper Library” application and to modify the system settings to enable the RDP connection.

Kaspersky researchers noticed that the bot does not connect automatically to the VPN and suggested that its operators might keep this opportunity for some specific cases. The Teamspy executable is an NSIS installer that includes an NSIS-script; Standard NSIS plugins – nsExec.dll, StdUtils.dll, System.dll; the legitimate NirCmd and 7zip utilities, and two images, the second of which has an embedded password-protected 7z archive.

The malware then extracts a series of files to the hidden folder “%APPDATA%Div,” including the TeamViewer components, the installvpn.pg, rdw.pg, and scankey.pg encrypted bot plugins, and the tv.cfg encrypted bot configuration file.

Next, the installer starts the legitimate executable file of TeamViewer, which loads the malicious library avicap32.dll, which represents the body of the bot. The malware uses DLL hijacking for this operation, and also uses several layers of encryption and obfuscation to complicate analysis, Kaspersky says.

Advertisement. Scroll to continue reading.

The malicious avicap32.dll modifies the functionality of the TeamViewer process, and also hides the software window and its icon in the notification area. Because the application’s graphic interface (GUI) isn’t visible, the user might not be suspicious of its presence unless they have a look at the list of running processes. The malicious DLL also decrypts and uses the data in the configuration file.

The bot communicates with its C&C server using the HTTP protocol. It informs the server of the infection, and the server responds with a command. The bot also informs the server on the result of the executed command.

Some of the commands supported by the bot include start/stop of audio recording, start/stop of video recording of the screen, download and execute a file from a URL provided by the C&C server, and provide operators with the remote control console. The malware can also receive commands to update the configuration file and some of its fields, to update or delete plugins, control PC power (shutdown, restart), restart the bot’s own process, or self-delete.

 “Essentially the Trojan encryptors pass the initiative to the user (and it’s up to the user to decide whether to pay for their files or not) and the owners take into consideration the average financial solvency of the victim in assigning the ransom sum. The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash,” Sinitsyn concludes.

Related: Ransomware Operators Show Reputable “Customer” Service

Related: Europol Declares War on Ransomware

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.