Security researchers uncovered the Rurktar Malware family, a compendium of several virus strains that are currently being developed. As the security analysis is still ongoing we expect to see hacker attacks using the Rurktar malware in the coming weeks.
Rurktar Malware – A New Threat to Watch out For
Security researchers uncovered a new computer virus that does not seem to originate from any of the known threats. The captured samples appear to be part of a new malicious collection known as the Rurktar malware. According to the available information it is still under active development by the hacker collective behind it.
The preliminary analysis shows that the perpetrators behind the virus may be from Russia or a Russian-speaking country as some of the internal error messages are written in the Slavic language. Furthermore the IP addresses used to host the hacker-controlled command and control (C&C) servers are located in Russia. It is possible that they serve as a decoy or a gateway or a Russian team is merely testing the new malware.
The specialists identified that a shared Dropbox folder is used as the working directory. This reveals the fact that several scenarios can be utilized:
- Group Collaboration – In this case a criminal collective works on the virus remotely using the Dropbox service as a version control system.
- Dropbox Folder Used As a Backup – The hacker or criminals behind the malware may have shared the folder by mistake which is used as a backup archive for the temporary files.
- Intentional Leak – Another option to consider is the possibility of having the Rurktar malware samples posted to deliberately raise attention to the malware family.
Rurktar Malware Potential Capabilities
The captured Rurktar malware samples allow the engine to perform a limited set of sensitive data extraction, having access to the system hard information and some configuration settings. Notable features include the ability to check network connections and scan the local area network for other hosts. The following types of data are collected by the malware engine:
usernames, computer name, operating system, UUID partitions list, hardware components an the currently running processes.
Several surveillance options are also available for the hackers – the ability to take screenshots of the machines and extract files of choice to the hacker servers. Modification of files is possible as a data deletion function has been identified in the collected samples. The hackers have also devised a list of future capabilities outlined in the source code. They have not been developed yet and are probably under active development at the time of writing this article. The list includes the ability to capture live video of the users interaction that is transmitted over the Internet to the hackers, detection of security tools, monitoring specific files for changes and reconfiguring web browser and system settings.
We suspect that the hackers are trying to turn the Rurktar malware family into a potent Trojan as they usually contain such traits. The analysis shows that it is likely that evolved versions will be able to attain a persistent state of execution – an advanced operation mode which actively prevents the virus removal by manual means. Current versions of the Rurktar malware use the classic approach of creating a malicious instance that is started as a Windows service every time the computer is powered on.
Computer users can use a quality anti-malware tool to remove active infections and protect their computers.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: