We noticed a series of testing submissions in VirusTotal that apparently came from the same group of malware developers in Moldova, at least based on the filenames and the submissions’ source. It appears they are working on a new malware that — based on how they were coded — is most likely intended to spread through spam emails embedded with malicious attachments. Trend Micro detects this malware as JS_DLOADR and W2KM_DLOADR.
The downloader malware’s payloads (TROJ_SPYSIVIT.A and JAVA_ SPYSIVIT.A) are what make it notable. It delivers a version of the Revisit remote administration tool, which is used to hijack the infected system. More importantly, it also delivers a malicious extension that could serve as a backdoor, stealing information keyed in on browsers.
Abusing legitimate remote access tools (and stealing its configurations) is not new. This was
observed in spam campaigns carrying the TeamSpy malware that abuses
TeamViewer to take over affected systems remotely. Nevertheless, the techniques it employs still make it a credible threat — such as the abuse of legitimate application programming interfaces (APIs) and open-source tools such as
Chrome WebDriver and
Microsoft WebDriver.