Global
New Banking Trojan Targeting ACH and Wire Payment Sites is Discovered
February 8th, 2010 by Jason MilletaryOver the past year, the SecureWorks Counter Threat Unit (CTU)SM has seen criminals continue to target Automated Clearing House (ACH) and wire transfer transactions for fraud activity, resulting in high-value losses. Small to midsized businesses (SMBs) and not-for-profits have been hit especially hard. Neustar has published an excellent overview (PDF) of this type of threat.
The tools of choice for financial credential theft are often the Zeus or Clampi malware families. In January, the CTU came across what appears to be a new piece of malware developed to facilitate this type of criminal banking activity. The CTU has been calling this new malware Bugat. Currently, it is updating its configuration data to include new financial targets. In mid-January, the installer for Bugat had moderate coverage (20/40), according to VirusTotal. The most commonly identified name (Bredolab) corresponds to a family of trojan downloaders. However, its runtime behavior did not match what one would expect from Bredolab. The installed mspdb30.dll file had almost no AV recognition (2/41). The AppInit_DLLs registry key setting changes made by the installer instruct Windows to load the Bugat DLL into any program that also loads user32.dll. This is a common mechanism used by malware to infiltrate itself into targeted processes such as web browsers and email clients.
Bugat comes with capabilities commonly found in malware used to commit credential theft for financial fraud.
Bugat Functionality
- Internet Explorer (IE) and Firefox form grabbing
- Scrape or modify HTML for targeted sites
- Steal and delete IE, Firefox, and Flash cookies
- Steal FTP and POP credentials
- SOCKS proxy server (v4 and v5)
- Browse and upload files from the infected computer
- Download and execute programs
- Upload list of running processes
- Delete system files and reboot computer to render Windows unable to boot
Bugat communicates with a remote command and control web server to receive commands and to exfiltrate stolen information. As part of this process, the malware also receives a list of URL target strings used to monitor the victim’s web browser activity. These target strings indicate a strong interest in websites used for business banking and wire transfers. Bugat may also use HTTPS in an attempt to secure its command and control communications.
New Bugat Banking Trojan Gives Hackers Choices
The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals. This demand may be driven by the desire for cheaper alternatives or malware that has not received as much scrutiny from security professionals. The continued introduction of this type of malware could have the unfortunate effect of lowering costs of malware and the barrier to entry into the criminal marketplace.
Share This Information | New Banking Trojan Targeting ACH and Wire Payment Sites is Discovered
|
| Other SecureWorks Blog Categories: |
Operation Aurora: Clues in the Code
January 20th, 2010 by Joe StewartWith the recently disclosed hacking incident inside Google and other major companies, much of the world has begun to wake up to what the infosec community has known for some time – there is a persistent campaign of "espionage-by-malware" emanating from the People’s Republic of China (PRC). Corporate and state secrets both have been shanghaied over a period of five or more years, and the activity becomes bolder over time with little public acknowledgement or response from the U.S. government.
Continue Reading "Operation Aurora: Clues in the Code" >>|
Share This Information | Operation Aurora: Clues in the Code
|
| Other SecureWorks Blog Categories: |
Publicly Disclosed GSM Attack Surface Expanding
December 29th, 2009 by Ben FeinsteinDuring the course of 2009, the amount of publicly available information on the security of GSM cellular networks and devices has steadily increased. GSM stands for the “Global System for Mobile communications” and is the world’s most popular standard for mobile handsets.
Continue Reading "Publicly Disclosed GSM Attack Surface Expanding" >>|
Share This Information | Publicly Disclosed GSM Attack Surface Expanding
|
| Other SecureWorks Blog Categories: |
SecureWorks Reports Increase in Email Scams and Advises Extra Caution While Shopping Online this Holiday Season
December 2nd, 2009 by The Counter Threat Unit ™In the last month, SecureWorks’ Counter Threat Unit(SM) (CTU) has seen a general increase in malicious email campaigns trying to infect online users with the Zeus Trojan (one of the most pervasive financial-credential stealing Trojan) on the market. In the last three weeks, the CTU has also monitored a large increase in the number of email lists being sold on the underground hacker forums, coinciding with the start of the holiday shopping season.
Continue Reading "SecureWorks Reports Increase in Email Scams and Advises Extra Caution While Shopping Online this Holiday Season" >>|
Share This Information | SecureWorks Reports Increase in Email Scams and Advises Extra Caution While Shopping Online this Holiday Season
|
| Other SecureWorks Blog Categories: |
SANS Incident Detection Summit
November 25th, 2009 by Jon RamseySecureWorks CTO Jon Ramsey will be participating on a panel at the SANS Incident Detection Summit December 9-10, 2009.
Continue Reading "SANS Incident Detection Summit" >>|
Share This Information | SANS Incident Detection Summit
|
| Other SecureWorks Blog Categories: |
ToorCon 11 a Success!
October 30th, 2009 by Dennis BrownThere are two things one can count on every year at ToorCon: the amazing San Diego weather and excellent presentations about new and emerging security research. This year’s ToorCon 11 did not disappoint, and delivered a lot of great content and new security research throughout the weekend.
Continue Reading "ToorCon 11 a Success!" >>|
Share This Information | ToorCon 11 a Success!
|
| Other SecureWorks Blog Categories: |
Monkif/DlKhora Botnet Hiding Its Commands as JPEG Images
September 29th, 2009 by Jason MilletaryThe SecureWorks Counter Threat Unit (CTU) has been carefully monitoring the activity of the Monkif/DlKhora botnet. This bot is an example of a Downloader trojan, in that its primary purpose is to receive instructions to download and execute other malware. The trojan also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system.
Continue Reading "Monkif/DlKhora Botnet Hiding Its Commands as JPEG Images" >>|
Share This Information | Monkif/DlKhora Botnet Hiding Its Commands as JPEG Images
|
| Other SecureWorks Blog Categories: |
Skype Eavesdropping Trojan
September 25th, 2009 by Dennis DwyerRecently, programmer Ruben Unteregger released the source code for a Trojan that allows an attacker to listen in on a victim’s Skype conversations. For approximately seven years, Unteregger has worked as a software engineer for ERA IT Solutions AG where he developed the trojan. Skype traffic is encrypted using a 256-bit AES block cipher, the kind approved by the US Government to protect “TOP SECRET” information.
Continue Reading "Skype Eavesdropping Trojan" >>|
Share This Information | Skype Eavesdropping Trojan
|
| Other SecureWorks Blog Categories: |
Twitter-Based Botnet Command and Control
September 4th, 2009 by Dennis DwyerTwitter is a social networking and microblogging service launched in late 2006. Once logged in, users post small updates to the site frequently throughout the day. These short update messages, known as “tweets,” may not exceed 140 UTF-8 encoded characters.
Continue Reading "Twitter-Based Botnet Command and Control" >>|
Share This Information | Twitter-Based Botnet Command and Control
|
| Other SecureWorks Blog Categories: |
Crypto Attacks: It’s the implementation stupid
August 27th, 2009 by Hunter KingBlack Hat USA 2009 brought us the latest release of Moxie Marlinspike’s sslstrip tool. sslstrip is a tool for performing man-in-the-middle (MITM) attacks against TLS/SSL sessions. The previous version simply terminated the TLS connection at the MITM point and forwarded on an unencrypted connection to the client.
Continue Reading "Crypto Attacks: It’s the implementation stupid" >>|
Share This Information | Crypto Attacks: It’s the implementation stupid
|
| Other SecureWorks Blog Categories: |
