Shade Ransomware Uses RAT Feature To Spy on High-Profile Victims
By Paul Liu
Saturday, March 18th, 2017
The notorious Shade ransomware has just become a lot more dangerous thanks to the addition of RAT (Remote Access Trojan) feature into it. Security researchers analyzing the latest version of the ransomware were surprised to discover that the program now comes bundled with a modified version of TeamViewer remote desktop sharing program. This would allow the criminals to spy on their targets and alter their ransom demands as per the situation.
The Shade family of ransomware was discovered in late 2014-early 2015 and in no time it became one of the topmost ransomware threats in Russia. The program spreads via spam email messages or exploit kit payloads which get downloaded automatically as soon as victims visit one of the malicious sites set up by the attackers. After the program gets downloaded, it tries to connect to a remote C&C server and requests for a RSA-3072 key which is then used to encrypt files stored on the computer. Once this process is finished, the victim’s machine becomes inoperable and it simply displays a warning message about the encryption of the system files. The message also asks the user to contact the attackers and pay a ransom in order to get the decryption key and restore his system to its earlier state. The good news is that security firm Kaspersky was able to crack the program’s encryption and post a free decryption tool for the program on its website.
The latest incarnation of Shade comes with an in-built spying feature. The program currently infects only Russian businesses and scans for specific strings (for example, “BUH” and “BUGAL”) which are found in computers used by Accounting Departments of Russian companies. If the program finds the string on a system, it stops the installation and installs a trojan known as Teamspy from a remote server. Teamspy (also known as TVRAT, TVSPY SpY-Agent) contains a custom version of TeamViewer along with TeamViewer’s VPN driver and RDP Wrapper Library. Teamspy allows the attackers to alter the system settings of the computer and use Teamspy via Remote Desktop Protocol.
Kaspersky researchers believe that the Shade is using Teamspy to gather more intelligence about the target organization. Teamspy is an extremely powerful RAT which allows hackers to take snapshots, record audio, install executable files as well as run terminal commands on target machines. This means that criminals can now keep an eye on target organizations for an extended period of time and learn more about their financial condition before rendering their computers unusable. So it can definitely be said that bundling of RAT tool along with Shade helps the attackers to extort more money from their targets.
It is not yet clear whether the criminals behind the latest version of Shade intend to target businesses from other countries as well. By adding a spying feature within the ransomware, they have certainly managed to add a new twist in their ongoing battle against the security firms. One thing is certain; this episode is going to inspire other ransomware creators to come up their own unique versions of such dangerous programs.