Banking Trojans Return to the Spotlight

Ten Rules for the Cyber Incident Responder

It’s been a while since I’ve talked about banking Trojans, but it appears that a wave of new Trojans has cropped up in recent weeks.

Researchers at PhishMe announced that they have uncovered a Trojan called Dyre, which was designed to bypass SSL security in order to steal banking data. The malware is delivered through phishing emails with subject headings involving financial transactions like invoices and tax payments. According to eSecurity Planet:

The emails contain links to files on LogMeIn’s Cubby.com file storage service. “Since Dropbox has been quick to block phishing links, the attackers needed a new legitimate service,” noted PhishMe’s Ronnie Tokazowski.

Click on the link in the email, and you’ll download a zip file. Open the zip file, and it installs the malware, which monitors all of the victim’s browser traffic, including SSL traffic, with the aim of stealing and uploading online banking login credentials.

A Dark Reading article stated that Dyre appears to be the origin of a new banking malware family, meaning it is unrelated to Zeus. However, Zeus’ lineage is still causing trouble. Another new form of malware, dubbed Zberp, was discovered by Trusteer. Zberp combines features from both Zeus and Carberp, which gives it wide-ranging features. According to PC World:

It can gather information about infected computers including their IP addresses and names; take screen shots and upload them to a remote server; steal FTP and POP3 credentials, SSL certificates and information inputted into Web forms; hijack browsing sessions and insert rogue content into opened websites, and initiate rogue remote desktop connections using the VNC and RDP protocols.

Finally, Kaspersky Lab reported a new financial attack that is wreaking havoc on a European bank, stealing a half million Euros in a week. According to Securelist, the banking fraud, called Luuuk, uses a Man in the Browser campaign to intercept the banking data. ZDNet further explains the Luuuk Trojan:

Most of the victims are located in Italy and Turkey, and according to log files that included events from bots reporting to a command and control (C&C) web panel, sums stolen from each bank account ranged from 1,700 to 39,000 euros. The team says it is likely thefts were managed automatically, and fraudulent transactions were carried out as victims logged into their online bank accounts.

ZDNet added that the origin of the Trojan is unclear. It may be a brand-new strain or it might be a modified piece of malware—no one is quite sure:

The reason for the confusion is simple: Two days after Kaspersky discovered the C&C server, “every shred of evidence” that could have been used to trace the campaign was removed by the cybercriminals. However, this is believed to have taken place due to changes in technical infrastructure used within the campaign rather than as a signal criminal activities were over.

It’s not like banking Trojans had disappeared, but with all of the other security breaches and threats that have happened in the past year, the malware has been traveling a bit under the radar. These three Trojans are just the latest banking malware to surface. Certainly more banking-focused malware exists out in the wild, but perhaps it’s time we return our focus to these types of online frauds.