We have seen this threat bundled alongside tools used to crack or generate software keys.
For example, we have seen this threat infect a PC in the following manner:
A user downloads and runs the file <product name>_keygen.exe, for example R_Studio_7_5_Build_156292_Network_Edition_keygen.exe. The file is a self-extracting archive that extracts the following two files into the %TEMP% folder and runs them:
<four numbers>.exe, for example 6597.exe - the actual key generator
<four numbers>.exe, for example 6118.exe - this threat, Trojan:Win32/Gatak.DR
This threat then injects code into a running process, usually explorer.exe, and then deletes itself by running the following command:
The injected code also contains hard-coded URLs to image-sharing websites. The threat downloads a .png file from which it extracts a payload. The following are the two most common URLs we have seen it try to use:
Steganography techniques are used to hide the payload data in the image file, which, after decryption, gives other URLs for the malware to connect to, including: