Trojan Evolves Changes Strategies

Monday, June 23, 2014 @ 10:06 AM gHale

Despite its simplicity and the idea there are solutions to quickly fix it, there has been a rise in the distribution of the ransomware Trojan named Simplocker, researchers said.

Different versions of the Trojan are out hitting various industries, said Robert Lipovsky, malware researcher at ESET and researchers at Kaspersky Lab.

New Trojan Targets Banks, For Now
New Trojan Starts from Scratch
Ransomware Infections Drop after Takedown
Cybercrime Costs Businesses $445 Billion

The new modifications have integrated the command for file decryption, which indicates the victim paid the ransom, Lipovsky said in a blog post. Also, different sums of money end up demanded, in both Ukrainian hryvnias and Russian rubles.

Only Russians and Ukrainians seem to be the targets of the Trojan right now, but the trend could change since the distribution in the rest of the world has reached 10 percent, according to ESET metrics.

The threat is most prevalent in Russia, where researchers recorded 48 percent of the infections, while Ukraine accounts for 42 percent.

The threat still goes out using social engineering tactics that lure the victim with incentives ranging from adult video content to apps purporting to be popular games.

Apart from this, ESET found a new strategy, which involves a Trojan downloader, identified by the products of the security firm as Android/TrojanDownloader.FakeApp.

Lipovsky said the analyzed sample tempted the victim into downloading the malware masqueraded as a video player via an external link. This way, the downloader has slimmer chances of detection from security mechanisms that verify the items published on Google Play.

This is possible because there are no signs of malicious behavior; opening a link outside the app is common to many other programs and “the downloader has practically no ‘potentially harmful’ application permissions – so even a user who scrutinizes app permissions at installation may allow this one,” Lipovsky said.

Additionally, in the sample checked by the ESET team “the URL contained within the app didn’t point to the malicious Simplocker APK package directly. Instead, the Trojan was served after a redirect from the server under the attacker’s control. This technique is something to watch out for.”

Leave a Reply

You must be logged in to post a comment.