RAA Ransomware and Pony Trojan Virus – the Malicious Pair

It’s not uncommon for malicious content to be bundled with yet more malicious content. The RAA cryptor ransomware virus and the Pony Trojan show that quite well. The ransomware not only encrypts the files on its victim’s PCs, but it also spreads the Trojan.

More Information

RAA ransomware was first spotted in June of this year. It infects the computer through malicious emails. The emails contain malicious JavaScripts. Once they’re clicked, the scripts generate a fake Microsoft Word file. Once this word document is opened, the system will get infected. After that it’s the usual deal:

  • The ransomware scans the system
  • Find important files
  • Encrypts them
  • Drops a ransom note

The whole process aims to lock the computer and extort payment for the key. The interesting thing is that RAA will also drop the Pony Trojan while encrypting. The Pony Trojan is a type of spyware. Its main goal is to find and steal confidential information from infected PC. Information like:

  • Passwords
  • Credentials
  • Accounts

The virus also tries to gain access to accounts and take them over. If an account has a weak password like 123456789 or qwerty, the Trojan will be prepared. It’ll guess them within minutes. The Pony Trojan is pretty durable. The first known case of the virus was in 2011, which would make it five years old know, a ripe old age for a virus.
The Pony Trojan encrypts all data before sending it to the cybercriminals. It uses the RC4 algorithm.

Malware cooperation

This isn’t the first case of cooperation between two malicious software types. Browser hijackers love to spread with the help of PUPs (potentially unwanted programs.) Browser hijackers also collect information, but they aren’t classified as spyware because the user technically agrees to their inclusion by not installing programs carefully.

RAA cryptor and Pony Trojan aren’t the only dirty pair of ransomware and spyware. The famous CryptoWall ransomware virus also included similar Trojan in its encryption process.

Cybercriminals gather on forums and exchange code, ideas, and malicious tools. It’s not surprising that they often combine their code to improve their methods of infection. New “innovations” pop ups every day. A good example would be the Locky DLL trick.

Anti-virus programs can only block known or familiar threats, so ransomware scammers should always update, correct, and scramble their scripts to succeed in infecting. One hacker tried to take advantage of the information sharing on the underground cybercrime community and uploaded malware on tools made to create malware. This hacker or group of hackers was dubbed Pahan.

The end goal of all this is making money, of course. Information is not only power, but it’s also profit. If the crooks learn your passwords with the Pony Trojan, they can do all sorts of damage, like funds embezzlement, and other scams.

Was this content helpful?

Author : Alex Dimchev

Alex Dimchev is a beat writer for Best Security Search. When he's not busy researching cyber-security matters, he enjoys sports and writing about himself in third person.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *