The crooks behind the most recent versions of Shade have added an interesting new tidbit to their malware, installing a modified version of TeamViewer on infected systems so they could spy on their targets and adjust the ransom note accordingly.
This new Shade version only targets Russian companies that are running accounting software on their computers. Kaspersky researchers say that this new Shade version, prior to infecting the target, during its installation routine, actively scans the computer name for strings such as “BUH,” “BUGAL,” “БУХ,” “БУГАЛ.” These strings are likely to be found on computers used by the accounting departments at Russian-speaking companies.
If Shade finds any of these strings, it stops the ransomware installation process and delivers another trojan called Teamspy, also known TVSPY, TVRAT, or SpY-Agent. The trojan contains a modified version of TeamViewer 6 that the malware authors have altered to hide its GUI. The trojan also includes the legitimate 7Zip archiving tool and the NirCmd command-line utility.
Furthermore, the crooks are also installing the TeamViewer VPN driver and the RDP Wrapper Library, used to open VPN connections and interact with the RDP protocol. All of these utilities delivered inside Teamspy allow the crooks to modify OS settings on infected systems, open an RDP connection, and use TeamViewer to connect to the infected system.
Crooks using Teamspy to determine the proper ransom sum
Kaspersky suggests that the crooks are using Teamspy’s RAT (Remote Access Trojan) features to gather intelligence on the infected computer, to determine the appropriate ransom sum.
“The option of remote access to an infected accounting system allows the malefactor to secretly keep an eye on the victim’s activities and collect detailed information on the victim’s solvency in order to use the most efficient way of getting cash,” suggests Kaspersky‘s Fedor Sinitsyn.
Teamspy is quite a powerful RAT and allows a crook to record audio from infected systems, record the victim’s desktop, run terminal commands, and download and install other executables.
Crooks are delivering the Shade ransomware at a later point
This last feature is most likely used to deliver the Shade ransomware at a later point in time, after crooks deemed the target important and decided on the ransom amount.
Shade is one of today’s most popular ransomware families, but Kaspersky researchers cracked its encryption and have provided a free decrypter via the No More Ransom initiative. Another name for the Shade ransomware is Troldesh.
This is not the first time malware specifically targets Russian businesses. During late June, Dr.Web discovered a trojan coded in 1C, a programming language used mostly in Russa. This trojan was delivering ransomware to companies using 1C:Enterprise, a popular accounting software in Russia.