A new spyware Trojan aimed at Russian users exclusively was recently observed targeting various accounting applications, as well as instant messaging, email, and Microsoft Office programs, in an attempt to exfiltrate sensitive data.
Detected as Trojan.PWS.Spy.19338, the malware was designed to steal the information entered in the windows of nearly a dozen programs and to be launched directly into the computer’s memory in decrypted form. All of the stolen information is sent to a remote server encrypted using RC4 algorithm and then XOR, Doctor Web researchers reveal.
The spyware is distributed by a dropper Trojan called Trojan.MulDrop6.44482, which was designed to spread various other malicious programs, including Trojan.Inject2.24412, a Trojan embedded into malicious libraries’ processes launched on the infected computer.
According to Doctor Web researchers, before infecting a computer, Trojan.MulDrop6.44482’s installer checks the system for anti-malware programs such as Dr.Web, Avast, ESET, or Kaspersky, and terminates itself if it detects one of them. Moreover, the malware checks whether the computer uses the Russian localization of Windows, and terminates itself if it doesn’t.
On systems with the Russian language enabled and without one of the aforementioned anti-virus programs, the malware saves a 7z packer and a password-protected archive on the disk, after which it proceeds to retrieving files from the archive one by one. Some of these include programs and dynamic libraries that serve different purposes, along with the aforementioned Trojan and spyware.
According to the security researchers, Trojan.PWS.Spy.19338 is launched directly in the computer’s memory, although an encrypted copy is dropped to the disk. The Trojan appears to have a modular architecture, while its main purpose is to log keystrokes and to collect information about the system, after which it sends the collected details to its operators.
Before sending the data to the attackers’ server, the spyware encrypts it with the RC4 algorithm and then with XOR, researchers say. The logged keystrokes are saved on the disk as a special file, and its content is sent to the server every minute. To the exfiltrated information, the malicious program attaches the name of the application the keystrokes were logged from.
According to Doctor Web, in addition to accounting programs such as 1C version 8, 1C version 7 and 7.7, and SBIS++, the spyware also targets Microsoft Office applications such as Word and Excel, as well as messaging and mail programs like Skype, Microsoft Outlook, Microsoft Outlook Express and Windows Mail, and Mozilla Thunderbird.
What’s more, the spyware was also designed to collect information about the connected devices for Smart Card use, it seems. At the same time, it includes a series of components that were specifically designed to send information about the computer’s system to the C&C server, Doctor Web’s security researchers warn.