This time, the malware is digitally signed and is targeting “large corporations” in both Europe and the US, according to a blog post from CSIS Security Group. The researchers noted that its folder and filename are both static and can help indicate a compromised machine.
The malware injects itself into the svchost.exe process, thereby allowing it to maintain a presence in the memory.
Along with new targets, the variant comes with a proprietary protocol, the use of random files and mutexes and a predefined IP address, the blog post stated.
Although this was the first new variant, CSIS documented at least four other strains. It distributed information with “trusted entities” to “eradicate the threat through various security solutions.”