VERY IMPORTANT

Attacks involving this Trojan have been noted since February 2017 but peaked in late May. Gets confirmation, and then—addresses of two servers. The first one is used to receive a list of logins and passwords, the second one—for operation of the SOCKS proxy server. Interaction with these servers is performed in two different threads.