14 DAY TRIAL // Crooks in Russia have found a much more appropriate method of attacking businesses in their country, using files specific to a local business accounting application to infect high-value targets and lock their computers with ransomware.
1C is a programming language that allows developers to use the Cyrillic alphabet and language to write code. 1C is the core of 1C:Enterprise, a framework for all sorts of business applications for the Russian market.
Russian malware developers used the 1C programming language to create a trojan named 1C.Drop.1, which was specifically crafted to run under local 1C:Enterprise installations.
Infection occurs via email spam
Crooks use email spam to deliver their malicious payload. The emails use the subject line "Our BIC code has been changed," where BIC stands Bussiness Identity Code, a common ID used for financial transactions in Russia and other countries.
Recipients of the email may think that one of their business partners is updating their BIC. Attached to the email is a file named ПроверкаАктуальностиКлассификатораБанков.epf. EPF is one of the file extensions used by 1C:Enterprise software, and email recipients might think it's an automatic script that updates their 1C:Enterprise databases.
Running the file will show a popup. Regardless of whether the user clicks the Yes or No buttons, the 1C.Drop.1 malware executes and also displays a loading screen showing two cats dancing, like the image below.
The trojan downloads the ransomware and spreads to other companies
By the time the victim realizes that something is wrong, 1C.Drop.1 has already downloaded and installed a ransomware variant named Trojan.Encoder.567. Dr.Web, the security firm that discovered this campaign, says there's no way to decrypt the data without paying the ransom.
Because 1C.Drop.1 is coded in 1C, it is able to connect to the company's local installation of 1C:Enterprise software, pilfer the contact list and start sending malicious spam with a copy of the trojan to the company's address book.
Dr.Web says 1C.Drop.1 works with the databases of 1C:Enterprise software like Trade Management 11.1, Trade Management (basic) 11.1, Trade Management 11.2, Trade Management (basic) 11.2, Accounting 3.0, Accounting (basic) 3.0, and 1C:Comprehensive Automation 2.0.
