9 charged for stealing millions of dollars with Zeus Malware

The Zeus malware is one of the most damaging pieces of financial malware that has helped the culprits to infect thousands of business computers and capture passwords, account numbers and other information necessary to log into online banking accounts.

U.S. Department of Justice unsealed charges against nine alleged cyber criminals for distributing notorious Zeus malware to steal millions of dollars from bank accounts.

Vyachesla V Igorevich Penchukov, Ivan Viktorvich Klepikov, Alexey Dmitrievich Bron, Alexey Tikonov, Yevhen Kulibaba, Yuriy Konov Alenko, And John Does are charged to devise and execute a scheme and artifice to defraud Bank Of America, First Federal Savings Bank, First National Bank Of Omaha, Key Bank, Salisbury Bank & Trust, Union Bank And Trust, And United Bankshares Corporation, all of which were depository institutions insured by the Federal Deposit Insurance Corporation.

They are also accused to use Zeus, or Zbot, computer intrusion, malicious software, and fraud to steal or attempt to steal millions of dollars from several bank accounts in the United States, and elsewhere.

It has also been reported that defendants and their co-conspirators infected thousands of business computers with software that captured passwords, account numbers, and other information necessary to log into online banking accounts, and then used the captured information to steal millions of dollars from account-holding victims' bank accounts.

Account holding victims include Bullitt County Fiscal Court, Doll Distributing, Franciscan Sisters Of Chicago, Husker Ag, Llc, Parago, Inc., Town Of Egremont, And United Dairy...


They have also been given notice by the United States of America, that upon conviction of any defendant, a money judgment may be imposed on that defendant equal to the total value of the property subject to forfeiture, which is at least $70,000,000.00.

The United States of America has also requested that trial of the case be held at Lincoln, Nebraska, pursuant to the rules of this Court. The Metropolitan Police Service in the U.K., the National Police of the Netherlands’ National High Tech Crime Unit and the Security Service of Ukraine are assisting the investigation.

YouTube ads serve Banking Trojan Caphaw


Number of Malvertising attacks are appeared to be increasing day by day, even top websites fall victim to such kind of attacks - YouTube is to be the latest popular organization affected by malicious ads.

Security experts from Bromium have discovered that the cyber criminals were distributing a malware via YouTube ads.

According to researchers,  malicious ads attempt to exploit vulnerabilities in outdated Java.  It loads different malicious jar file, to ensure the exploit is compatible with the installed java version.

The Exploit kit used in this attack "Styx Exploit Kit" which was the same one used by cybercriminals to infect users of toy maker Hasbro.com.

If the user's machine is having vulnerable plugins, it will exploit the vulnerability and drops a Banking Trojan known as "Caphaw".  Researchers say they are working with Google Security team. 

Corkow, a Banking Trojan which has interest in Bitcoins and Android developers

Security researchers at ESET have found that the infection ratio of the lesser-known Russian Banking Trojan "Corkow" is increasing.

According to WeLiveSecurity, the Corkow trojan allows attackers to use different plug-in to improve the capabilities.

Like other trojans, it is capable of logging keystrokes, grab screen shots, web injection and form-grabbing to trick victims into handing over their financial data to cyber criminals.

In addition to the usual banking trojan features, it also allows attackers to remotely access the trojan and installs Pony- universal password stealer.

The malware also capable of collecting browser history, list of applications installed and processes running on the infected machine.

It appears the malware has interest on websites and softwares related to Bitcoins and systems belong to Android developers who publish apps in Google Play.

Once a system is infected, the malware's payload will be encrypted using volume serial number of C drive and behaves innocuously, if it is being executed in a separate computer from the one it initially infected in an attempt to make the malware analysis difficult.

ESET is about to release more detailed technical examination of this malware next week.

Source code of notorious Banking Trojan Carberp leaked

Carberp is one of the notorious Banking trojan which is designed to steal online banking login details and other financial information from users.

The source code for the Carberp has reportedly been leaked.  A password-protected archive file containing the source code appeared to be published online few days ago.

However, at the time,  researchers are not able to confirm whether the leak is genuine or not.  Today, researchers confirmed the leak after the password was posted in one of the underground forum. 

Image Credits: Touch My Malware

CSIS reports that they have downloaded a package that include "Carberp bootkit along with other source codes for what seems to be e.g. Stone bootkit, Citadel, Ursnif etc."

"By this leaks, malware will change drastically, we can expect a new merge lmalicious function, more sophisticate botnet, and unpredicted or unexpected vector of attack coming after this, like new variant of APT adopting these codes, or cred.stealer from Asia, or else.." MalwareMustDie Team told EHN.

Accused SpyEye Virus creator extradited from Thailand to US


An Algerian man who is believed to be the creator of the infamous Banking Trojan "SpyEye" was extradited from Thailand to the United States to face charges.

Hamza Bendelladj, 24-year-old, also known as Bx1, will face charges for allegedly playing a role in developing, marketing ,distributing and controlling the SpyEye virus, according to FBI report.

SpyEye is a Banking Trojan(similar to Zeus virus) that steals confidential personal data and finance information such as online banking credentials , credit card information.

He was arrested at Suvarnabhumi Airport in Bangkok, Thailand, on Jan 5, while he was in transit from Malaysia to Egypt.

If convicted, he will face a maximum sentence of up to 30 years in prison for conspiracy to commit wire and bank fraud; up to 20 years for each wire fraud count; up to five years for conspiracy to commit computer fraud; up to five or 10 years for each count of computer fraud; and fines of up to $14 million.

Cybercriminals behind Carberp Trojan arrested in Ukraine


The masterminds allegedly behind one of the notorious banking Trojan Carberp that stoles millions of dollars and the developers have been arrested in Ukraine.

Carberp is a banking Trojan that first appeared in 2010 and started as a private malware used by a single group.  The gang in 2011 sold the malware's builder, a tool used to customize their Trojan program for $10,000 to a limited number of customers.

28-year-old Russian, the alleged leader of the group arrested along with about 20 individuals aged between 25 and 30 years old.

According to Kommersant Ukraine report, the cyber criminal ring is responsible for stealing more than $250 million in Ukraine and Russia alone.

#Eurograbber Campaign - Trojan steals $47 Million from 30k European Bank accounts

Eurograbber Banking Trojan

A highly sophisticated cybercriminal campaign , dubbed as "Eurograbber" , enabled criminals to steal more than $47 million (€36 million) from more than 30,000 bank accounts belong to corporate and individuals across Europe.

The finding comes from a case study published by Security firm Check Point and online fraud prevention solutions provider Verasafe .

According to the case study, the attack began in Italy, and soon after, tens of thousands of infected online bank customers were detected in Germany, Spain and Holland.

The campaign starts when a victim unknowingly clicks a malicious link in a spam email or possibly through general web surfing. Clicking on the link directs them to a site that attempts to drop the Banking Trojan - a malware that steals Bank login credentials.

The next time the victim logs in to their bank account , the Trojan intercepts the session and displays fake banking page that informs the customer of the “security upgrade” and instructs them on how to proceed.

The page recommend user to input their smartphone OS and phone number. Once victim gave the phone details, the Eurograbber Trojans sent SMS with a link to a fake "encryption software"- in fact, it is "Zeus in the mobile" (ZITMO) virus.

Once the Eurograbber are installed on the victims' PC and smartphone, the trojan lays dormant until the next time the customer accesses their bank account. When victim log in , immediately it transfers victim's money to criminals' account.

The Trojan then intercepts the confirmation text message sent by the bank, forwarding it to C&C server via a relay phone number. The server uses the message to confirm the transaction and withdraw the money.

Citadel Trojan is going off the Open Market

A spokesperson for the minds behind the Citadel Trojan said recently on an underground forum that the malware would no longer be publicly available, according to RSA.

According to RSA’s FraudAction Research Labs, a spokesperson for the creators of the Citadel Trojan declared on an underground forum after the recent release of the Trojan’s latest version (v1.3.4.5) that the software would no longer be publicly available and only existing customers would be able to receive upgrades.

Others who wish to purchase a new kit would have to get an existing customer to vouch for them. It remains to be seen if the developers will actually pull it off digital shelves, a spokesperson for EMC’s RSA security division told eWEEK July 2.

"While this could be a marketing stunt designed to create urgency and generate more sales, Citadel’s developers could also be seeing the need to slow down sales," RSA blog post reads.

“By selling less, they can keep the Trojan from being all too widely spread, which will invariably lead to more sampling and research and cause them the need to rework its evasion mechanisms. Additionally, more customers also means more support, more underground buzz, and eventually—as with Zeus, SpyEye, and Carberp—more cyber-crime arrests linked with using Citadel.”

Citadel is built on the source code of the notorious Zeus Trojan typically linked to the theft of banking credentials and fraud. In May, the Internet Crime Complaint Center (IC3), a multi-agency task force consisting of the FBI, the National White Collar Crime Center (NW3C) and the Bureau of Justice Assistance, warned that the Citadel platform was being used to deliver ransomware known as Reveton.

Today, Citadel is the most advanced crimeware tool money can buy, RSA said. Sold for $2,500, attackers can also purchase plug-ins for an average of $1,000 each.

"Malware developers working on criminal-popular projects like Citadel rightfully fear law enforcement. Their actions of developing, supporting and selling advanced crimeware makes them an accessory to the crimes which can easily get them indicted alongside their botmaster customers. The more popular the banking Trojan becomes, the more banks and merchants push to have its developers and bot masters behind bars."

"Looking to the surrounding cybercrime arena, history proves that malware coders know when to leave the room. To date, developers of popular Trojans like Zeus’ Slavik, SpyEye’s Gribodemon, and Ice IX’s GSS have never been arrested and we are seeing the Citadel’s team already taking measures to go deeper underground for their own safety."

Russian cops arrest 8 in notorious Carberp Banking Trojan case


Russian police arrest eight individuals in Moscow on suspicion of making millions in electronic banking fraud with a Banking trojan known as 'Carberp' . The arrested suspects include two unnamed brothers, aged 29 and 32, whom Russian cops believe to be the ringleaders of the gang.


According to the MVD statement, the hackers made more than 60 million roubles(£1.3m) with their trojan. Apparently, the hackers rented an office in Moscow, pretending to be a legitimate IT company.

"Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialised banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection," said Ilya Sachkov, CEO of Group-IB, a security firm that helped investigate the gang's attacks.
During the raid in the suspects' home and office, The police had recovered numerous ATM cards, forged documents and 7.5 million roubles (about £162,000) in cash.

Suspects face charges for various offences including 'Illegal access to computer information','malware distribution' and theft. If they are convicted, they will face charges punishable with 10 years in prison

Trojan Neloweg operates similar to Zeus and steals Bank details

Symantec researchers currently tracking a banking Trojan called Trojan Neloweg.  According to their research, the threat has been localized to Europe.  This Trojan steals login credentials of infected users including banking data.

Neloweg operates similar to notorious banking Trojan Zeus. Like Zeus, Trojan.Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Trojan.Neloweg stores this on a malicious webserver.

Once a particular banking page has been matched, Trojan.Neloweg will cover part of the page in white, using a hidden DIV tag, and execute custom JavaScript located on the malicious server

Neloweg infection

The browser of Infected system can function like a bot and accept commands. It can process the content of the current page that it is on, redirect the user, halt the loading of particular pages, steal passwords, run executables, and even kill itself. Unfortunately the kill function is a bit excessive, and deletes critical system files, which in turn prevent users from logging in properly.

New Variant of Zeus Malware "Game Over" delivered via Phishing Emails

A spam mail that purporting from National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC) and claims there is problem with your recent Transaction. If recipients needs help, the mail ask them to visit a link. The link leads to a Phishing page. Once recipient visit the link, Without the knowledge of Victim, the page download a malware "Game Over" and infects the victim's system.

The Malware is newer variant of ZeuS malware that steals your Confidential data related to Bank. Not only the malware steals the data but also make your computer as Botnet Slave.  A botnet slave can be used to attack a website with Distributed Denial of Service(DDOS).

According to Fbi report, the attackers used the stolen bank information to purchase of precious stones and expensive watches from high-end jewelry stores.

"The criminals contact these jewelry stores, tell them what they’d like to buy, and promise they will wire the money the next day. So the next day, a person involved in the money laundering aspect of the crime—called a “money mule”—comes into the store to pick up the merchandise. After verifying that the money is in the store’s account, the jewelry is turned over to the mule, who then gives the items to the organizers of the scheme or converts them for cash and uses money transfer services to launder the funds." Report says.

Fbi see an increasing number of unsuspecting mules hired via “work at home” advertisements who end up laundering some of the funds stolen from bank accounts. The CyberCriminals send e-mail to those who search for a Online jobs. The hired employees are provided long and seemingly legitimate work contracts and actual websites to log into. They’re instructed to either open a bank account or use their own bank account in order to receive funds via wire and ACH transactions from numerous banks…and then use money remitting services to send the money overseas.

If you think you’ve been victimized by this type of scheme, contact your financial institution to report it, and file a complaint with the FBI’s Internet Crime Complaint Center.