Cybercriminals Tap “Bugat” – Less Popular and Harder to Detect Malware
It appears that cybercriminals are changing up their weapons recently, trying to diversify their attack tools using a platform that is less well known and therefore harder to detect and block. With so much focus on the ZeuS Trojan, recent attacks utilized a variant of “Bugat,” another Trojan horse that steals information from a compromised computer and sends it to a remote host. Bugat was first discovered in January of this year but, like ZeuS, has seen some different variants – all designed to attack Microsoft Windows users.
Trusteer, a company that helps browsers stay more secure, today announced that its researchers have discovered a new version of the Bugat financial malware.
Trusteer says that Bugat was distributed in the recent attack targeting LinkedIn users, which was considered to be trying to infect machines with the more common Zeus Trojan, the malware used by a large cybercrime ring that was recently disrupted by the FBI and several international law enforcements agencies.
Bugat is similar in functionality to its better known financial malware brethren Zeus, Clampi and Gozi. It targets Internet Explorer and Firefox browsers and harvests information during online banking sessions. The stolen financial credentials are used to commit fraudulent Automated Clearing House (ACH) and wire transfer transactions mostly against small to midsized businesses, which result in high-value losses. Bugat is three times more common in the US than Europe, but its distribution is still fairly low. Symantec currently lists “Trojan.Bugat” at Risk Level 1 (Very Low)
In last week’s attack, LinkedIn users received emails alerting them of a “Contact Request,” and encouraging them to click through to a malicious URL where a java applet fetched and installed the Bugat executable.
“Criminals are stepping up their malware distribution efforts by continuously updating configurations of well known malware like Zeus, and using new versions of less common Trojans like Bugat, to avoid detection,” said Mickey Boodaei, CEO of Trusteer. “We are in an arms race with criminals. Although Zeus gets a lot of attention from law enforcement, banks and the security industry, we need to be vigilant against new forms of financial malware like Bugat and SpyEye which are just as deadly and quietly expanding their footprint across the Internet.”
Trusteer warns that the recent industry focus on Zeus is making it easier for other Trojans, like Bugat, SpyEye, and Carberp which are less wide spread but equally sophisticated, to avoid detection. Trusteer also notes that lesser known financial malware platforms are expected to increasingly compete with the Zeus toolkit to become the new Trojan of choice for criminal groups.
While this shift to “Bugat” may help attackers temporarily sneak by some malware scanning systems, we still expect ZeuS to be an ongoing threat and continue to be a major attack tool for quite some time. This certainly won’t replace ZeuS in the short-term.
Related Reading: Protecting Data from The Automated Cyber-Mafia