A new Hidden-Tear ransomware impersonates a PokemonGo application for Windows and targets Arabic victims. These features include a backdoor Windows account, spreading the executable to other drives, and creating network shares. It also appears that the developer isn’t done yet as the source code contains many indications that this is a development version. IT security experts from ESET and Tripwire commented below.
Mark James, Security Specialist at ESET:
“As with most projects or events that generate so much interest in the IT world, it’s inevitable that malware will soon follow, often tailored to help, mimic or guide you. The whole PokemonGo phenomenon was of course going to be no different; people will want to play it on all platforms, IOS, Android and their desktop systems. This particular piece of malware is a little different though, it not only wants to infect you with ransomware, it appears to have a hidden agenda, most ransomware deletes itself once the job is done, but this particular piece of malware goes a little further by installing a hidden user account with admin privileges, that could enable someone at a later date to remotely connect back to the infected computer and perform other malicious tasks.
It’s currently targeted at Arabic victims but could easily be adapted for global use and we could see it modified and spread in other countries. Malware is constantly changing and the need to have a good multi-layered regular updating internet security product is a must these days if you want to keep safe. Keep your operating system and applications updated and on the latest versions and make sure you have some kind of backup to protect any data you can’t afford to lose. Ransomware these days is a very real threat and having a good backup solution will enable you to restore your data easily and quickly and not succumb to funding criminal activity by paying the ransom.”
Travis Smith, Senior Security Research Engineer at Tripwire:
“Fans of the Pokemon Go game are eager to catch them all, but must be weary of catching malware. While the malware is not fully production code, it highlights the intent of some malware creators to capitalize on the Pokemon Go craze. Users looking for Pokemon should be wary of any third party applications or services looking to assist your search.
The fact that the malware is creating users is a new ransomware development. It’s unclear if the intent is to maintain persistence or be an indicator to avoid multiple infections of the same box. Either way, it’s clear the ransomware is looking to spread itself to network shares and removable drives to both spread infection and potentially cripple backups; the primary recovery method for ransomware.”