India-based hackers may have had a hand in creating a malware designed exclusively for corporate espionage. The malware appears to have been around for a while, but was only recently discovered by security researchers, who indicate that it may have been operating below the radar, in efforts to evade detection.
According to Malwarebytes security researchers, the authors of the malware named it Shakti, after the Indian goddess of power. Shakti, roughly translated in Hindi means power or strength. "It is possible that this tool was designed exclusively for small operations of corporate espionage," the security firm said. The malware appears to have been designed specifically to steal documents.
"Shakti Trojan is very small and it seems to be written solely for the purpose of document stealing. So far we don't have any information suggesting that this attack is widespread. The application is not new, yet it escaped from the radar and hasn't been described so far. Its signature doesn't match any known commodity malware," Malwarebytes added.
How it works
Once deployed, Shakti runs on stealth mode on infected systems, disguising itself as a browser. The malware also deters victims from accessing or removing it by opening up its own file for reading. Shakti also sends along the stolen data to a C&C (command and control) server. "Most of the malware fingerprints a victim system, but rarely are they as precise in recognizing details as this Trojan is. It comes with a long list of Windows versions, including special editions: Cluster Server Edition, Datacenter Edition, Compute Cluster Edition, Advanced Server, and more," said Malwarebytes.
On analysing the code of the malware, security researchers uncovered that its hardcoded list of target systems do not include Windows 8 and Windows 10, indicating that the malware may be old. Malwarebytes analysts estimate that, based on "compilation timestamps of the main elements" of Shakti, the Trojan was likely created in 2012.
The C&C domain linked to the Shakti Trojan, web4solution.net, was found to be registered in India. The name of the malware, combined with the C&C registration, indicate that India-based hackers may be behind creating and/or distributing the malware.
It is still uncertain as to how many users have been affected by the Shakti malware and how successful the malware has been in stealing classified corporate data. IBTimes UK has reached out Malwarebytes for further information and is awaiting its response.