Cybercriminals are using a Remote Access Trojan (RAT) to spy on their victims` financial statuses and determine the amount of ransom they are going to demand from them.
Researchers discovered that an interesting feature has been added to the latest variants of the Shade Ransomware. Shade is now able to install a modified version of TeamViewer on infected systems so the crooks could spy on their targets and, based on the information gathered, to decide how much money to ask for.
However, the only target of these new Shade variants are Russian-based companies which are running an accounting software. According to Kaspersky, before actually attacking its target, Shade is intensively scanning the computer name for strings like “BUH”, “BUGAL”, “БУХ” or “БУГАЛ”, which are most likely to be found on computers used by Russian accounting departments. Once Shade detects any of them, it terminates the ransomware installation process and drops a RAT named Teamspy. The RAT also goes by the names TVSPY, TVRAT, or SpY-Agent.
The malware creators have added a modified TeamViewer 6 version to the RAT which is altered to hide its GUI. The crooks are installing the TeamViewer VPN driver and the RDP Wrapper Library as well, which are used to interact with the RDP protocol and open VPN connections. Teamspy also includes the NirCmd command-line utility and the legitimate 7Zip archiving tool.
With the help of all these Teamspy`s features the cybercriminals are able to alter the infected machine`s OS settings, open an RDP connection and use TeamViewer to connect to the infected device.
Kaspersky believes that main purpose of using the Teamspy RAT is the crooks to collect valuable information about their target and adjust the ransom note accordingly.
“The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash.” says Kaspersky’s researcher Fedor Sinitsyn.
With the Teamspy RAT, cybercriminals are able to record the victim’s desktop, run terminal commands, record audio from infected systems or download and install other executables if necessary. Once the malware authors decide that the target is worth it, based on the information gathered, and the ransom sum is defined, they drop The Shade Ransomware.