Friend
Professional
- Messages
- 2,653
- Reaction score
- 852
- Points
- 113
Malware steals more than it seems: the danger grows.
In September, Kaspersky Lab specialists recorded a series of attacks on Russian energy companies using a new Trojan virus called Unicorn. This malicious code aims to steal sensitive information from businesses, suppliers, and developers of electronic components. The main method of distribution of the Trojan is malicious emails with attachments sent via email. Unlike other similar attacks, the malware does not self-delete immediately after stealing information, but continues to steal new and changed files until it is detected.
Infection occurs through files attached to emails or links to Yandex.Disk. The attachment is a RAR archive with a file with a double extension: pdf and lnk (shortcut). The shortcut contains a command to download and run a file that is disguised as a PDF document, but is actually an HTML application. Running this file activates a VBS script that creates two files on the computer: update.vbs and upgrade.vbs. These scripts make changes to the registry, enabling autorun and storing encrypted malicious code.
The Trojan copies the necessary files, creating a special folder for this. He is interested in documents larger than 50 MB with txt, pdf, doc, docx, xls, xlsx, png, rtf, jpg, zip, and rar extensions. After that, another script, upgrade.vbs, sends these files to the attackers' server using decrypted code from the registry. At the same time, information about the transferred data and the time of their modification is stored in text files, which allows the virus to avoid sending the same documents again.
A distinctive feature of this Trojan is its ability to continue collecting data after the initial theft. According to Kaspersky Lab, such attacks can lead to significant losses, since the malware continues to transmit information to attackers until measures are taken to eliminate it.
Source
In September, Kaspersky Lab specialists recorded a series of attacks on Russian energy companies using a new Trojan virus called Unicorn. This malicious code aims to steal sensitive information from businesses, suppliers, and developers of electronic components. The main method of distribution of the Trojan is malicious emails with attachments sent via email. Unlike other similar attacks, the malware does not self-delete immediately after stealing information, but continues to steal new and changed files until it is detected.
Infection occurs through files attached to emails or links to Yandex.Disk. The attachment is a RAR archive with a file with a double extension: pdf and lnk (shortcut). The shortcut contains a command to download and run a file that is disguised as a PDF document, but is actually an HTML application. Running this file activates a VBS script that creates two files on the computer: update.vbs and upgrade.vbs. These scripts make changes to the registry, enabling autorun and storing encrypted malicious code.
The Trojan copies the necessary files, creating a special folder for this. He is interested in documents larger than 50 MB with txt, pdf, doc, docx, xls, xlsx, png, rtf, jpg, zip, and rar extensions. After that, another script, upgrade.vbs, sends these files to the attackers' server using decrypted code from the registry. At the same time, information about the transferred data and the time of their modification is stored in text files, which allows the virus to avoid sending the same documents again.
A distinctive feature of this Trojan is its ability to continue collecting data after the initial theft. According to Kaspersky Lab, such attacks can lead to significant losses, since the malware continues to transmit information to attackers until measures are taken to eliminate it.
Source
