In September, a new Trojan virus called Unicorn was used in a series of attacks on Russian energy companies, as reported by Kaspersky laboratories. The main aim of this malicious code is to steal confidential information from enterprises, including factories, suppliers, and developers of electronic components. Unicorn stands out from other similar threats as it remains active even after the initial data theft, posing a greater danger to the targeted organizations.
The distribution of the Trojan involves sending malicious emails with investment-related content or links to files on Yandex.Disk. Attackers utilize a RAR archive disguised as a PDF file, but with a double extension label – PDF and LNK. Clicking on the shortcut triggers the download and execution of a file masked as a PDF, which is actually an HTML application. Upon execution, a VBS script creates two files, update.VBS and upgrade.VBS, making changes to the operating system’s registry to ensure the automatic running of malicious components and encryption of data.
Upon activation of Update.VBS, a designated folder is created on the user’s computer for copying selected files. Unicorn specifically targets files with extensions such as TXT, PDF, DOC, Docx, XLS, XLSX, PNG, RTF, JPG, ZIP, and RAR, with a size exceeding 50 MB. Subsequently, Upgrade.VBS sends these files to the attackers’ server while documenting the copied files and their modification dates, to avoid redundancy in data transmission.
This Trojan’s notable feature is its persistence in data collection even after the initial breach. According to Kaspersky Laboratory, these attacks can result in significant losses as the malicious program continuously sends information to the perpetrators until mitigation measures are implemented.