Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to news

Bunch of Trojans provide access to compromised computers

November 11, 2015

Among the huge variety of malicious programs, there is one group which encompasses applications that are not actually malicious but can still be employed by cybercriminals in pursuing their illegal goals. This category includes remote administration tools that may be used not only with a good intent but also to control computers remotely without user knowledge. Doctor Web security researchers have examined one attack scheme over the course of which a legitimate remote administration tool was used.

With the help of Exploit.CVE2012-0158.121, cybercriminals managed to distribute a whole pack of malicious programs that was named BackDoor.RatPack and was disguised as an RTF document. Once the document was opened, a malicious file was decrypted and saved to the victim's computer. It should be noted that the file, which is, in fact, an installer, has a valid digital signature (like almost any other file from BackDoor.RatPack).

screen BackDoor.RatPack #drweb

Once launched, the installer scans the system for virtual machines, monitoring programs, and debuggers. Then it initiates a search for online banking applications of several Russian financial organizations. If all the checks are successful, the installer connects to a remote server and downloads and runs another installer in NSIS (Nullsoft Scriptable Install System) format that contains a number of executable files and several password-protected archives. The second installer extracts executable files and runs them.

The installer payload bears a modification of a shareware program called Remote Office Manager—Doctor Web security researchers have detected at least three versions of this program that differ in configuration settings. By intercepting a number of system functions, the malicious program is able to conceal the tool's shortcuts in the Windows taskbar and notification area preventing the user from detecting the program. One can assume that cybercriminals employ BackDoor.RatPack to steal banking information and other confidential data by remotely controlling the compromised machine.

Signatures of all malicious files belonging to BackDoor.RatPack have been added to Dr.Web virus databases, and, therefore, they pose no threat to our users.

More about this threat

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124