My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Bunch of Trojans provide access to compromised computers

November 11, 2015

Among the huge variety of malicious programs, there is one group which encompasses applications that are not actually malicious but can still be employed by cybercriminals in pursuing their illegal goals. This category includes remote administration tools that may be used not only with a good intent but also to control computers remotely without user knowledge. Doctor Web security researchers have examined one attack scheme over the course of which a legitimate remote administration tool was used.

With the help of Exploit.CVE2012-0158.121, cybercriminals managed to distribute a whole pack of malicious programs that was named BackDoor.RatPack and was disguised as an RTF document. Once the document was opened, a malicious file was decrypted and saved to the victim's computer. It should be noted that the file, which is, in fact, an installer, has a valid digital signature (like almost any other file from BackDoor.RatPack).

screen BackDoor.RatPack #drweb

Once launched, the installer scans the system for virtual machines, monitoring programs, and debuggers. Then it initiates a search for online banking applications of several Russian financial organizations. If all the checks are successful, the installer connects to a remote server and downloads and runs another installer in NSIS (Nullsoft Scriptable Install System) format that contains a number of executable files and several password-protected archives. The second installer extracts executable files and runs them.

The installer payload bears a modification of a shareware program called Remote Office Manager—Doctor Web security researchers have detected at least three versions of this program that differ in configuration settings. By intercepting a number of system functions, the malicious program is able to conceal the tool's shortcuts in the Windows taskbar and notification area preventing the user from detecting the program. One can assume that cybercriminals employ BackDoor.RatPack to steal banking information and other confidential data by remotely controlling the compromised machine.

Signatures of all malicious files belonging to BackDoor.RatPack have been added to Dr.Web virus databases, and, therefore, they pose no threat to our users.

More about this threat

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments