New Banking Trojan Targeting ACH and Wire Payment Sites is Discovered

Over the past year, the SecureWorks Counter Threat Unit (CTU)SM has seen criminals continue to target Automated Clearing House (ACH) and wire transfer transactions for fraud activity, resulting in high-value losses. Small to mid-sized businesses (SMBs) and not-for-profits have been hit especially hard. Neustar has published an excellent overview (PDF) of this type of threat.

The tools of choice for financial credential theft are often the Zeus or Clampi malware families. In January, the CTU came across what appears to be a new piece of malware developed to facilitate this type of criminal banking activity. The CTU has been calling this new malware Bugat. Currently, it is updating its configuration data to include new financial targets. In mid-January, the installer for Bugat had moderate coverage (20/40), according to VirusTotal. The most commonly identified name (Bredolab) corresponds to a family of trojan downloaders. However, its runtime behavior did not match what one would expect from Bredolab. The installed mspdb30.dll file had almost no AV recognition (2/41). The AppInit_DLLs registry key setting changes made by the installer instruct Windows to load the Bugat DLL into any program that also loads user32.dll. This is a common mechanism used by malware to infiltrate itself into targeted processes such as web browsers and email clients.

Bugat comes with capabilities commonly found in malware used to commit credential theft for financial fraud.

Bugat Functionality
  • Internet Explorer (IE) and Firefox form grabbing
  • Scrape or modify HTML for targeted sites
  • Steal and delete IE, Firefox, and Flash cookies
  • Steal FTP and POP credentials
  • SOCKS proxy server (v4 and v5)
  • Browse and upload files from the infected computer
  • Download and execute programs
  • Upload list of running processes
  • Delete system files and reboot computer to render Windows unable to boot

Bugat communicates with a remote command and control web server to receive commands and to exfiltrate stolen information. As part of this process, the malware also receives a list of URL target strings used to monitor the victim's web browser activity. These target strings indicate a strong interest in websites used for business banking and wire transfers. Bugat may also use HTTPS in an attempt to secure its command and control communications.

New Bugat Banking Trojan Gives Hackers Choices 
The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals. This demand may be driven by the desire for cheaper alternatives or malware that has not received as much scrutiny from security professionals. The continued introduction of this type of malware could have the unfortunate effect of lowering costs of malware and the barrier to entry into the criminal marketplace.
Back to all Blogs

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.