Search This Blog

Showing posts with label Banking Malware. Show all posts

Hike in Banking Malware Attacks; Mobile Malware A Part of Cyber-Crime Too!



Banking malware is on a rise and the percentage of the wreckage it causes has risen up to 50%.

The viral banking malware usually is on the lookout for payment data, credentials and of course, cash.

Development kits for mobile malware code are easily available on underground portals and hence this issue is relevant.

The creators of mobile bankers henceforth allow the fabrication of new versions of malware that could be distributed on an enormous scale.

Ramnit (28%), Trickbot (21%) and Ursnif (10%) are apparently the most widely known types of the malware.

Mobile malware happens to be pretty difficult to identify and equally so to deal with as they use similar malicious techniques that are applied on computers.

The variants of the malware that were recurrently identified by the anti-virus solutions were Android-bound Triada (30%), Lotoor (11%) and Hidad (7%).

Turning the anti-malware off, using transparent icons with empty application labels, delayed execution to bypass sandboxes, and encrypting the malicious payload are a few of the evasion techniques being employed, per sources.

Trickbot Trojan Gets 'BokBot' Proxy Module to Steal Banking Info.




In 2017, IBM's X-Force team discovered a banking trojan named as 'BokBot', which redirects users to malicious online banking websites or can link victims to a browser procedure in order to insert unauthorized content onto official bank pages, it's also known as IcedID.

The authors of Trickbot trojan have begun to distribute a custom proxy module to the users; Trickbot trojan is a new component originated from BokBot's code for web injection, it works with some of the widely used web browsers.

The new variant came with its separate configuration file, it was detected on an infected system on 5th of July as "shadnewDll".

How does the malware work?

The malicious process begins with an infected Office Word document that downloads the Ursnif trojan after deploying a PowerShell script. Then, a Trickbot version along with the IcedID proxy module is received by the compromised host, it is programmed to intercept and modify web traffic.

After examining the component, Vitali Kremez, security researcher, said that it can be attached to the following web browsers: Microsoft Edge, Mozilla Firefox, Internet Explorer and Google Chrome.

Upon further inspection, the module appeared to be particularly adapted for TrickBot or other fraud bank operations which is based on the installion of this malware and its variants.

Referencing from the research of FireEye, "The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations." 

Cybercriminal Gang behind $100million theft busted









An international cybercrime network that used Russian malware to steal $100 million from tens of thousands of victims have been busted by the joint operation of Unites States and European police.  

The gang used an extremely powerful GozNym banking malware to infect the computers which allowed them to steal the user’s bank login details, it involves "more than 41,000 victims, primarily businesses and their financial institutions," Europol said. 

The malware GozNym is a combination of two other malware — Gozi and Nymaim. According to the IBM X-Force Research team the malware took the most powerful elements of each one. “From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi parts add the banking Trojan’s capabilities to facilitate fraud via infected internet browsers,” the team said, adding: “The end result is a new banking Trojan in the wild.”

The prosecutions have been launched against the gang in Georgia, Moldova, Ukraine and the United States. While five Russians charged in the US remain on the run, the EU police agency Europol said.

Alexander Konovolov, 35, of Tbilisi, Georgia, is a prime accused and the leader of the network, and  is currently being prosecuted in Georgia.


Police in Germany and Bulgaria were also involved.

Banking Malware Being Distributed By Hackers Via Password Protected Zip Files!





Cyber-cons have a new way of wreaking havoc. Hackers have found another unique way to bypass security. Reportedly the infamous BOM technique’s to blame.

The “Byte Order Mark” technique goes about altering the host’s files on the windows system.

The major superpower of the BOM is helping the threat actor group to be under the line of display or detection.

The researchers from a very widely known anti-virus firm noticed a new campaign that majorly worked on spear phishing.

The spear phishing process would help to deliver the infected files to the victim’s system.

The moment the user attempts to open the ZIP file using their default browser, it all crashes and an error sign pops up, saying.

According to the researchers, the legit ZIP files start with “PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found within UTF-8 text files.

In some systems the ZIP archive format goes undetected but in some systems it’s recognized as a UTF-8 text file and the malicious payload isn’t extracted.

The same files on the other hand could be opened via third-party functions to name a few 7-Zip & WinRAR.

Once the extraction of the file is done, the malware is executed thence beginning the infection process.

Systems using third party utilities are more susceptible to such malware attacks than the rest.

The malicious executable is just a tool to help load the main payload inserted within the main source section.

The malware originates from a DDL along with a BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using similar functions as the inserted payload.
After having extracted the necessary files the last and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes, dates of birth, account passwords, electronic signature, e-banking passwords and etc from the system.