Crooks in Russia have found a much more appropriate method of targeting business in their country, using files specific to a local business accounting application to infect high-value targets and lock their computers with ransomware.

1C is a programming language that allows developers to use the Cyrillic alphabet and language to write code. 1C is the core of 1C:Enterprise a framework for all sorts of business applications for the Russian market.

Russian malware developers used the 1C programming language to create a trojan named 1C.Drop.1, which was specifically crafted to run under local 1C:Enterprise installations.


Infection ocurrs via email spam

Crooks use email spam to deliver their malicious payload. The emails use a subject line of “Our BIC code has been changed,” where BIC stands Bussiness Identity Code, a common ID used for financial transactions in Russia and other countries.

Recipients that receive the email may think that one of their business partners is updating it’s BIC. Attached to the email is a file named ПроверкаАктуальностиКлассификатораБанков.epf. EPF is one of the file extensions used by 1C:Enterprise software and email recipients might think it’s an automatic script that updates their 1C:Enterprise databases.

Running the file will show a popup. Regardless if the user clicks the Yes or No buttons, the 1C.Drop.1 malware executes, and also displays a loading screen showing two cats dancing, like the image below.

The trojan downloads the ransomware and spreads to other companies

By the time the victim realizes that something is wrong, 1C.Drop.1 has already downloaded and installed a ransomware variant named Trojan.Encoder.567. Dr.Web, the security firm that discovered this campaign, says there’s no way to decrypt the data without paying the ransom.

Because 1C.Drop.1 is coded in 1C, it is able to connect to the company’s local installation of 1C:Enterprise software, pilfer the contact list and start sending malicious spam with a copy of the trojan to the company’s address book.

Dr.Web says 1C.Drop.1 works with the databases of 1C:Enterprise software like Trade Management 11.1, Trade Management (basic) 11.1, Trade Management 11.2, Trade Management (basic) 11.2, Accounting 3.0, Accounting (basic) 3.0, and 1C:Comprehensive Automation 2.0.

Image showed while 1C.Drop.1 download and installs the ransomware

Image showed while 1C.Drop.1 download and installs the ransomware

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲