Windows Trojan Targets Russian Crane Manufacturers

Source: http://www.securityweek.com/new-trojan-used-spy-russian-crane-manufacturers, http://news.drweb.com/news/?i=10306&lng=en(SecurityWeek, Doctor Web)

A Windows Trojan dubbed BackDoor.Crane by the security company Doctor Web has been found targeting two major Russian companies that specialize in cranes and auxiliary equipment. When researchers at the Doctor Web initially discovered the malware it seemed to have been stealing confidential data from infected victims for awhile.

Once a system becomes infected if a configuration file isn’t present the malware will create one, then it loads its modules into the computer’s memory and request instructions from its Command & Control server. The various modules loaded can carry out many activities like executing a commands in the Command Prompt, downloading files from a specified link, uploading files via FTP or HTTP, and taking screenshots. Some of these modules were used to download Python-based Trojans, one being Python.BackDoor.Crane.1 which can execute the same commands as BackDoor.Crane but can also get a list of files and folders from specific path, delete files, terminate processes, copy files, and terminate itself. Another Python Trojan called Python.BackDoor.Crane.2 can open a shell in the infected system.

The attackers left behind an “about” window which contained a string that said “Copyright © 2015” which suggest this is when the malware could have been developed, but according to researchers at Doctor Web the samples analyzed were compiled in April 2016.