Research

New Banking Trojan Targeting ACH and Wire Payment Sites is Discovered

February 8th, 2010 by Jason Milletary

Over the past year, the SecureWorks Counter Threat Unit (CTU)SM has seen criminals continue to target Automated Clearing House (ACH) and wire transfer transactions for fraud activity, resulting in high-value losses. Small to midsized businesses (SMBs) and not-for-profits have been hit especially hard. Neustar has published an excellent overview (PDF) of this type of threat.

The tools of choice for financial credential theft are often the Zeus or Clampi malware families. In January, the CTU came across what appears to be a new piece of malware developed to facilitate this type of criminal banking activity. The CTU has been calling this new malware Bugat. Currently, it is updating its configuration data to include new financial targets. In mid-January, the installer for Bugat had moderate coverage (20/40), according to VirusTotal. The most commonly identified name (Bredolab) corresponds to a family of trojan downloaders. However, its runtime behavior did not match what one would expect from Bredolab. The installed mspdb30.dll file had almost no AV recognition (2/41). The AppInit_DLLs registry key setting changes made by the installer instruct Windows to load the Bugat DLL into any program that also loads user32.dll. This is a common mechanism used by malware to infiltrate itself into targeted processes such as web browsers and email clients.

Bugat comes with capabilities commonly found in malware used to commit credential theft for financial fraud.

Bugat Functionality

  • Internet Explorer (IE) and Firefox form grabbing
  • Scrape or modify HTML for targeted sites
  • Steal and delete IE, Firefox, and Flash cookies
  • Steal FTP and POP credentials
  • SOCKS proxy server (v4 and v5)
  • Browse and upload files from the infected computer
  • Download and execute programs
  • Upload list of running processes
  • Delete system files and reboot computer to render Windows unable to boot

Bugat communicates with a remote command and control web server to receive commands and to exfiltrate stolen information. As part of this process, the malware also receives a list of URL target strings used to monitor the victim’s web browser activity. These target strings indicate a strong interest in websites used for business banking and wire transfers. Bugat may also use HTTPS in an attempt to secure its command and control communications.

New Bugat Banking Trojan Gives Hackers Choices
The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals. This demand may be driven by the desire for cheaper alternatives or malware that has not received as much scrutiny from security professionals. The continued introduction of this type of malware could have the unfortunate effect of lowering costs of malware and the barrier to entry into the criminal marketplace.

Share This Information | New Banking Trojan Targeting ACH and Wire Payment Sites is Discovered

Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)

  • Operation Aurora: Clues in the Code

    January 20th, 2010 by Joe Stewart

    With the recently disclosed hacking incident inside Google and other major companies, much of the world has begun to wake up to what the infosec community has known for some time – there is a persistent campaign of "espionage-by-malware" emanating from the People’s Republic of China (PRC). Corporate and state secrets both have been shanghaied over a period of five or more years, and the activity becomes bolder over time with little public acknowledgement or response from the U.S. government.

    Continue Reading "Operation Aurora: Clues in the Code" >>
    Share This Information | Operation Aurora: Clues in the Code

    Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
    Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)
  • Publicly Disclosed GSM Attack Surface Expanding

    December 29th, 2009 by Ben Feinstein

    During the course of 2009, the amount of publicly available information on the security of GSM cellular networks and devices has steadily increased. GSM stands for the “Global System for Mobile communications” and is the world’s most popular standard for mobile handsets.

    Continue Reading "Publicly Disclosed GSM Attack Surface Expanding" >>
    Share This Information | Publicly Disclosed GSM Attack Surface Expanding

    Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
    Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)
  • SecureWorks Reports Increase in Email Scams and Advises Extra Caution While Shopping Online this Holiday Season

    December 2nd, 2009 by The Counter Threat Unit ™

    In the last month, SecureWorks’ Counter Threat Unit(SM) (CTU) has seen a general increase in malicious email campaigns trying to infect online users with the Zeus Trojan (one of the most pervasive financial-credential stealing Trojan) on the market. In the last three weeks, the CTU has also monitored a large increase in the number of email lists being sold on the underground hacker forums, coinciding with the start of the holiday shopping season.

    Continue Reading "SecureWorks Reports Increase in Email Scams and Advises Extra Caution While Shopping Online this Holiday Season" >>
    Share This Information | SecureWorks Reports Increase in Email Scams and Advises Extra Caution While Shopping Online this Holiday Season

    Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
    Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)
  • SANS Incident Detection Summit

    November 25th, 2009 by Jon Ramsey

    SecureWorks CTO Jon Ramsey will be participating on a panel at the SANS Incident Detection Summit December 9-10, 2009.

    Continue Reading "SANS Incident Detection Summit" >>
    Share This Information | SANS Incident Detection Summit

    Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
    Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)
  • ToorCon 11 a Success!

    October 30th, 2009 by Dennis Brown

    There are two things one can count on every year at ToorCon: the amazing San Diego weather and excellent presentations about new and emerging security research. This year’s ToorCon 11 did not disappoint, and delivered a lot of great content and new security research throughout the weekend.

    Continue Reading "ToorCon 11 a Success!" >>
    Share This Information | ToorCon 11 a Success!

    Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
    Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)
  • Monkif/DlKhora Botnet Hiding Its Commands as JPEG Images

    September 29th, 2009 by Jason Milletary

    The SecureWorks Counter Threat Unit (CTU) has been carefully monitoring the activity of the Monkif/DlKhora botnet. This bot is an example of a Downloader trojan, in that its primary purpose is to receive instructions to download and execute other malware. The trojan also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system.

    Continue Reading "Monkif/DlKhora Botnet Hiding Its Commands as JPEG Images" >>
    Share This Information | Monkif/DlKhora Botnet Hiding Its Commands as JPEG Images

    Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
    Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)
  • Skype Eavesdropping Trojan

    September 25th, 2009 by Dennis Dwyer

    Recently, programmer Ruben Unteregger released the source code for a Trojan that allows an attacker to listen in on a victim’s Skype conversations. For approximately seven years, Unteregger has worked as a software engineer for ERA IT Solutions AG where he developed the trojan. Skype traffic is encrypted using a 256-bit AES block cipher, the kind approved by the US Government to protect “TOP SECRET” information.

    Continue Reading "Skype Eavesdropping Trojan" >>
    Share This Information | Skype Eavesdropping Trojan

    Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
    Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)
  • Twitter-Based Botnet Command and Control

    September 4th, 2009 by Dennis Dwyer

    Twitter is a social networking and microblogging service launched in late 2006. Once logged in, users post small updates to the site frequently throughout the day. These short update messages, known as “tweets,” may not exceed 140 UTF-8 encoded characters.

    Continue Reading "Twitter-Based Botnet Command and Control" >>
    Share This Information | Twitter-Based Botnet Command and Control

    Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
    Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)
  • Crypto Attacks: It’s the implementation stupid

    August 27th, 2009 by Hunter King

    Black Hat USA 2009 brought us the latest release of Moxie Marlinspike’s sslstrip tool. sslstrip is a tool for performing man-in-the-middle (MITM) attacks against TLS/SSL sessions. The previous version simply terminated the TLS connection at the MITM point and forwarded on an unencrypted connection to the client.

    Continue Reading "Crypto Attacks: It’s the implementation stupid" >>
    Share This Information | Crypto Attacks: It’s the implementation stupid

    Slash Dot Del.icou.us Digg it Technorati Reddit Furl Spurl StumbleUpon Facebook
    Other SecureWorks Blog Categories:
  • Events (1)
  • General (25)
  • Links (7)
  • Phishing (3)
  • Research (88)
  • Spam (1)
  • Trojans (5)
  • Next Steps

    Start With SecureWorks Request More Information Now
    Call SecureWorks Call Us Today
    877-905-6661

    Info Request




    Newsletter Signup

    * First Name:
    * Last Name:
    * Email Address:


    SecureWorks Authors
    SecureWorks Blog Topics