How It Works

The malware gets run when the user opens the attached file and attempts to open the PDF it contains. The malware takes advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .EXE extension of the malicious file.

The Trojan generates a random symmetric key for each file it encrypts, and encrypts the file’s content with the AES algorithm, using that key. Then, it encrypts the random key using an asymmetric public-private key encryption algorithm (RSA) and keys of over 1024 bits (we’ve seen samples that used 2048-bit keys), and adds it to the encrypted file. This way, the Trojan makes sure that only the owner of the private RSA key can obtain the random key used to encrypt the file. Also, as the computer files are overwritten, it is impossible to retrieve them using forensic methods.

As soon as the victim runs it, the malware goes memory resident on the computer and takes the following actions:

  • Saves itself to a folder in the user’s profile (AppData, LocalAppData).
  • Adds a key to the registry to make sure it runs every time the computer starts up.
  • Spawns two processes of itself: One is the main process, whereas the other aims to protect the main process against termination.

This malware usually spreads via email by using social engineering techniques. Therefore, our recommendation are:

  • Be particularly wary of emails from senders you don’t know, especially those with attached files.
  • This is the prime way this type of malware spreads.   Usually the virus payload hides in an attachment to a phishing message, one purporting to be from a business copier like Xerox that is delivering a PDF of a scanned image, from a major delivery service like UPS or FedEx offering tracking information or from a bank letter confirming a wire or money transfer.
  • If you don’t know the sender or are not expecting a email with an attachment from a sender delete the email without opening.
  • Disabling hidden file extensions in Windows will also help recognize this type of attack.
  • We’d like to remind you of the importance of having a backup system in place for your critical files. This will help mitigate the damage caused not only by malware infections, but hardware problems or any other incidents as well.  If you store files on your personal PC as well as on the server you may want to back up the PC files to a USB thumb drive or external; USB device.