Threat Report

Another Ukrainian Financial Software Company Spreading Malware

What Is It?

Ukrainian security firm Information Systems Security Partners (ISSP) discovered a currently unnamed malware distribution campaign which was serving malware from the website of another Ukrainian financial software developer, Crystal Finance Millennium. ISSP suggested that it could be an indication that another large scale cyberattack is imminent, though the evidence may not support that conclusion.

The BluVector Threat Team obtained a copy of the file, док.zip (, mentioned in the ISSP report. It contains a Word document titled “A contract for the supply of a wholesale lot of goods” along with a malicious JavaScript. Clearly there is a social engineering component to this attack, such as spam e-mail, as a user must be convinced to open the zip file and click on the JavaScript file in order to be infected.

The JavaScript is lightly obfuscated and contains a list of three URLs (stored as a reversed array of characters), from which it attempts to download and execute load.exe. The BluVector Threat Team was successful in downloading a sample of this file from one of the URLs (SHA256: 4ced511a7aedfa4fefe0efb5647abf5f2e5628453cab0e19cc07eec2c83a6b5d).

The load.exe sample is a banking Trojan which is also capable of downloading other files, logging keystrokes and communicates with a C2 (Command & Control) host.

How Does It Propagate?

The malware spreads by using a spam campaign where it needs to convince the user to open the attached zip file and click on the malicious JavaScript downloader. The load.exe malware does not contain any capability to self-propagate as in the case of recent NotPetya.

When/How Did BluVector Detect It?

The Trojan load.exe is identified as malicious by BluVector’s machine learning malware detection engine. Regression testing has shown this Trojan would have been detected by BluVector more than two years ago.

Interested in learning about BluVector?Contact Us >