• Author: Don Jackson, Senior Security Researcher for SecureWorks
  • Date: December 12, 2007

SecureWorks has discovered a stealthy, new Prg Banking Trojan. This new variant is the malware behind Zbot, a new botnet designed specifically to do banking fraud. The hackers using this new malware are specifically targeting banking clients that have commercial accounts. The banking variant has been designed and is being used by the Russian UpLevel hacking group and some German affiliates. The UpLevel hackers are staging their latest attacks using data centers in Moscow, Russia, and Mumbai, India.

SecureWorks has uncovered four servers containing Prg configuration files and corresponding phishing sites specifically targeting many of the leading banks in the US, UK, Spain and Italy. They have also discovered caches of stolen data from the banking trojan. SecureWorks already had countermeasures in place for its clients to protect against the Prg Trojan and its variants and immediately notified research partners, anti-virus vendors and law enforcement officials upon discovering the new Prg Banking Trojan.

Joe Stewart, a senior security researcher for SecureWorks, and I previously discovered other variants of the Prg Trojan in June of this year which was responsible for stealing social security numbers, bank account numbers, and online payment accounts for over 10,000 victims.

Key Components of Prg Banking Trojan

There are several components which make the Prg Banking Trojan so lethal:

  1. Alerts the hackers when a victim is doing online banking so the hacker can can piggyback in on the session, enabling the hacker to compromise the victim's commercial banking account without using the victim's username and password.
  2. The infected computer communicates to the command and controller exactly which bank the victim has an account with and then it automatically feeds code specific to that bank down to the victim's computer. This code tells the trojan how to simulate actual online transactions for that particular institution, i.e: wire transfers, bill payment, etc.
  3. Simulates keystrokes, as if the actual victim were typing into their computer.
  4. The Prg Trojan will run through all the steps an actual banking client would take during a bank transfer so as to avoid a bank's fraud alerts.
  5. Specific customized code for each bank sits with the command and controller. Therefore, if the bank makes any change to its transactions or the hackers need to designate a new account number for the stolen monies to be wired to the hackers can make those changes on the fly without having to change anything with the Prg Banking Trojan.

How the Prg Banking Trojan Scam Works

The UpLevel hacking group and their affiliates initially infect their victims through malicious links embedded in emails and via iframes found on specialty websites. The iframes and links lead to the generic, info-stealing Prg Trojan. Once infected with the Prg Trojan, everything the victim enters into their browser is picked up and sent to a server.

The hackers comb through the stolen data, specifically looking for evidence that the victim has a commercial/ business bank account. Once they have found a commercial banking client, they spear phish them with a very well-crafted email that typically purports to be from their bank and is offering the customer a new soft token, client certificate or security code which they must use to continue their commercial banking. They get the victim to click on a link to visit the fake bank phishing site and when they are actually try and download the new token, certificate or security code, the Prg Banking Trojan is downloaded onto their computer, unbeknownst to them.

Once the banking trojan is downloaded onto the bank customer's machine, it will then communicate back to the command and controller letting it know that it is installed and ready to receive new code. This initiates a download of new code which is specifically designed for the victim's bank.

The banking version of the Prg Trojan enables the hacker to be alerted when the victim is doing online banking so the hacker can piggyback in on the session with the victim. This way the hacker can compromise the victim's commercial banking account without using the victim's username and password. The hacker can command the trojan to download customized code which simulates keystrokes, as if the actual victim were typing into their computer so that the trojan can begin a wire transfer and it will appear that the account owner is actually doing it. The code will have a customizable account number which the money is to be wired to and the whole process happens in a matter of seconds.

As an added protection from being detected, the code will run through all the steps an actual banking client would take during a bank transfer so as to avoid a bank's fraud alerts.

While other banking trojans submit requests directly to money transfer confirmation pages without "visiting" intermediate pages, the Prg Banking Trojan actually visits all the bank's web pages and in order, just as a human being would do it, making the fraudulent money transfer more difficult to detect.

How to Protect Against the Prg Banking Trojan

Bank customers should avoid visiting untrusted websites and clicking on links within emails from untrusted sources. Even if they recognize the sender, they should confirm that the sender has sent the specific email to them before clicking on any links.