A new malware named Shakti Trojan has been unearthed. According to the security experts the malware has been developed by Indian hackers and has escaped the security radar for quite some time thus avoiding detection. The malware has been named after the Indian goddess Shakti who symbolises power and energy. The purpose of the malware has been delineated as “Corporate espionage”. As per security experts, the trojan is small and seems to have been written solely for the purpose of document stealing in corporate sector.

How Shakti Trojan works

Stage 1

Upon infecting the device, the malware self configures for an automatic start during login by making an entry in the Windows registry. It then injects itself stealthily into a process that is running; mostly the web browser. It disguises itself as a browser and can be seen in the “Task Manager” window under “Processes” section.

Stage 2

The malware then starts establishing contact with Command & Control (C&C) server. It uses Windows Messaging Queuing Protocol (WMQP) over HTTP to communicate with Command & Control server. The C&C server is presently located at web4solution.net which is registered in India. The initial messages sent by the Trojan are the basic computer details including Victim’s computer name, version of Windows, username, Service pack and a list of programs found underHKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall registry key.

Stage 3

After initial contact is established the malware starts scanning the computer’s hard drive starting with the desktop. It only looks out for the files with following extensions TXT,XLS, PPT, PPTX, INP, PDF, SQL, RTF, DOC, DOCX, XLSX. All files detected with these extensions are then uploaded to Command & Control Server. It is based on the targeted files that experts have pointed out to a very high probability that the malware was created specially for corporate espionage.

Cyware Publisher