Search This Blog

Showing posts with label Banking Malware. Show all posts

Banking Trojan 'Metamorfo' Now Targeting Online Users' Banking Services


Online banking users are being targeted by a trojan malware campaign going around the globe with the agenda of gaining illegal access to personal information such as credit card details and other sensitive data of users.

The banking trojan which has successfully affected more than 20 online banks goes by the name 'Metamorfo'. Several countries fell prey to the banking trojan including the US, Spain, Peru, Canada, Chile, Mexico, and Ecuador. Reportedly, earlier the attack was limited to Brazil-based banks only, however, the recent times witnessed a rapid increase in the number of these attacks; now encompassing other countries, according to the cybersecurity researchers at Fortinet.

In order to multiply their opportunities for financial gains, Cybercriminals have continued to resort to banking trojans and have refined the apparatus of the malware – in ways that make detection complicated. The latest research indicates that earlier the targeting was limited to the banking sector only but now as the leading banking trojans have expanded their reach, industries other than banking are also vulnerable to the attacks. The likely targets include cloud service providers, online tech stores, warehousing, mobile app stores, and e-commerce, according to the latest findings.

Metamorfo relies on email spoofing to set the attack into motion, it appears to contain information regarding an invoice and directs the victims to download a .ZIP file. As soon as the targeted user downloads and finishes the extraction of the file, it tends to allow Metamorfo to run on a Windows system. After the installation is completed, the malware starts running an Autolt script execution program. Although the scripting language is primarily designed for automating the Windows graphical UI, here the malware employs it to bypass the antivirus detection.

While explaining the functioning of the malware, ZDnet told, "Once running on the compromised Windows system, Metamorfo terminates any running browsers and then prevents any new browser windows from using auto-complete and auto-suggest in data entry fields.

"This prevents the user from using auto-complete functions to enter usernames, passwords, and other information, allowing the malware's keylogger functionality to collect the data the users are thus obliged to retype. It then sends that data back to a command-and-control server run by the attackers."

There are no revelations made about the keywords related to the targeted banks and other financial institutions, however, researchers expect the Metamorfo campaign still being active. To stay on a safer side, users are advised to keep their operating systems and software updated and patched timely.

Hike in Banking Malware Attacks; Mobile Malware A Part of Cyber-Crime Too!



Banking malware is on a rise and the percentage of the wreckage it causes has risen up to 50%.

The viral banking malware usually is on the lookout for payment data, credentials and of course, cash.

Development kits for mobile malware code are easily available on underground portals and hence this issue is relevant.

The creators of mobile bankers henceforth allow the fabrication of new versions of malware that could be distributed on an enormous scale.

Ramnit (28%), Trickbot (21%) and Ursnif (10%) are apparently the most widely known types of the malware.

Mobile malware happens to be pretty difficult to identify and equally so to deal with as they use similar malicious techniques that are applied on computers.

The variants of the malware that were recurrently identified by the anti-virus solutions were Android-bound Triada (30%), Lotoor (11%) and Hidad (7%).

Turning the anti-malware off, using transparent icons with empty application labels, delayed execution to bypass sandboxes, and encrypting the malicious payload are a few of the evasion techniques being employed, per sources.

Trickbot Trojan Gets 'BokBot' Proxy Module to Steal Banking Info.




In 2017, IBM's X-Force team discovered a banking trojan named as 'BokBot', which redirects users to malicious online banking websites or can link victims to a browser procedure in order to insert unauthorized content onto official bank pages, it's also known as IcedID.

The authors of Trickbot trojan have begun to distribute a custom proxy module to the users; Trickbot trojan is a new component originated from BokBot's code for web injection, it works with some of the widely used web browsers.

The new variant came with its separate configuration file, it was detected on an infected system on 5th of July as "shadnewDll".

How does the malware work?

The malicious process begins with an infected Office Word document that downloads the Ursnif trojan after deploying a PowerShell script. Then, a Trickbot version along with the IcedID proxy module is received by the compromised host, it is programmed to intercept and modify web traffic.

After examining the component, Vitali Kremez, security researcher, said that it can be attached to the following web browsers: Microsoft Edge, Mozilla Firefox, Internet Explorer and Google Chrome.

Upon further inspection, the module appeared to be particularly adapted for TrickBot or other fraud bank operations which is based on the installion of this malware and its variants.

Referencing from the research of FireEye, "The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations." 

Cybercriminal Gang behind $100million theft busted









An international cybercrime network that used Russian malware to steal $100 million from tens of thousands of victims have been busted by the joint operation of Unites States and European police.  

The gang used an extremely powerful GozNym banking malware to infect the computers which allowed them to steal the user’s bank login details, it involves "more than 41,000 victims, primarily businesses and their financial institutions," Europol said. 

The malware GozNym is a combination of two other malware — Gozi and Nymaim. According to the IBM X-Force Research team the malware took the most powerful elements of each one. “From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi parts add the banking Trojan’s capabilities to facilitate fraud via infected internet browsers,” the team said, adding: “The end result is a new banking Trojan in the wild.”

The prosecutions have been launched against the gang in Georgia, Moldova, Ukraine and the United States. While five Russians charged in the US remain on the run, the EU police agency Europol said.

Alexander Konovolov, 35, of Tbilisi, Georgia, is a prime accused and the leader of the network, and  is currently being prosecuted in Georgia.


Police in Germany and Bulgaria were also involved.

Banking Malware Being Distributed By Hackers Via Password Protected Zip Files!





Cyber-cons have a new way of wreaking havoc. Hackers have found another unique way to bypass security. Reportedly the infamous BOM technique’s to blame.

The “Byte Order Mark” technique goes about altering the host’s files on the windows system.

The major superpower of the BOM is helping the threat actor group to be under the line of display or detection.

The researchers from a very widely known anti-virus firm noticed a new campaign that majorly worked on spear phishing.

The spear phishing process would help to deliver the infected files to the victim’s system.

The moment the user attempts to open the ZIP file using their default browser, it all crashes and an error sign pops up, saying.

According to the researchers, the legit ZIP files start with “PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found within UTF-8 text files.

In some systems the ZIP archive format goes undetected but in some systems it’s recognized as a UTF-8 text file and the malicious payload isn’t extracted.

The same files on the other hand could be opened via third-party functions to name a few 7-Zip & WinRAR.

Once the extraction of the file is done, the malware is executed thence beginning the infection process.

Systems using third party utilities are more susceptible to such malware attacks than the rest.

The malicious executable is just a tool to help load the main payload inserted within the main source section.

The malware originates from a DDL along with a BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using similar functions as the inserted payload.
After having extracted the necessary files the last and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes, dates of birth, account passwords, electronic signature, e-banking passwords and etc from the system.