We recently came across reports about a hacker group that was able to detect a backdoor that was found capable of monitoring online activities and of recording calls made on Skype. Apart from its routines, it also garnered media attention because of claims that the backdoor may be used by German law enforcement authorities.
The malware, which we detect as BKDR_R2D2.A, was named such based on the strings “R2D2” found in its malware code:
Based on our analysis, this malware is capable of doing the following:
- Listen to chat conversations for applications like Skype, Yahoo! Messenger, MSN Messenger, and SipGate x-lite.
- Record audio calls made on Skype.
- Monitor Web browsing activities done on SeaMonkey, Navigator, Opera, Internet Explorer, and Mozilla Firefox.
- Take screenshots of the infected system.
The list below shows the programs it monitors and injects itself into.
This backdoor also receives commands from a remote site and is capable of installing component files; of retrieving system information; of downloading, uploading, and executing programs; and of uninstalling itself. It also has the ability to communicate with a remote IP address in order to receive commands from a remote user. This allows cybercriminals to take total control of infected systems.
The malware code doesn’t show any information about its connection to any government. However, we’ve seen reports saying that the Bavarian Minister of Interior Affairs Joachim Herrmann (CSU) already confirmed that the malware was created by the Bavarian police.
Regardless of creator, however, R2D2 still remains an information-stealing tool and so we find it of utmost importance that users are protected from having their privacy broken into. Especially with this release of information to the public, it is highly likely that we will find this tool in the cybercriminals’ hands for use in more sinister intents. With this, Trend Micro detects R2D2 as BKDR_R2D2.A and its component file as RTKT_R2D2.A.