Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Carberp Successor Bolek Banking Trojan Emerges

The leaked source code of the Carberp Trojan has spawned numerous malware variations, and a new one has emerged showing increased sophistication.

The leaked source code of the Carberp Trojan has spawned numerous malware variations, and a new one has emerged showing increased sophistication.

The new Bolek banking Trojan is a polymorphic file malware that targets both 32-bit and 64-bit versions of Windows and can perform a broad variety of actions on the infected machines: it can perform web injections, traffic interception, can take screenshots, can execute keylogging functions, and can also steal login credentials from online banking applications.

What’s more, the malware can establish reverse RDP (Remote Desktop Protocol) connections (back connect). According to Doctor Web researchers, who say that the Trojan also inherits a series of characteristics from Trojan.PWS.Panda (Zeus), Bolek can launch a local SOCKS5 proxy server and HTTP server to perform CMD commands.

PhishMe security researchers, who say that Bolek is based on repurposed KBot source code from Carberp, also explain that the Trojan uses multiple tricks to hinder detection and analysis efforts. The malware employs clever import functionality and also leverages a complex methodology to ensure it gains persistence on the infected machine.

During infection, the Trojan abuses svchost.exe or winlogon.exe processes to execute operations. It also maintains certain runtime values in memory, including the command and control (C&C) domains, as well as some of the bot configurations. The malware stores the configuration data in JSON and can send a great deal of data to the C&C server, including versioning, file hashes, and installed applications.

Each time it is executed on the infected PC, the malware creates a randomly-named file folder in the Windows System32 directory and places three files in it. These files include a randomly-named .exe (a system app copied from system32), a .dll (imported by the exe at first runtime), and another file with a different, also random, file extension. The malware modifies the DLL by injecting malicious code into DllEntryPoint and other functions and leverages the legitimacy of the executable and its imported .dll for persistence.

Researchers also discovered that the malware can be configured to become a worm, which allows it to self-propagate from one machine to another. It also includes the ability to receive updates, meaning that its operators can easily shift tactics mid-campaign if they want to.

Arbor Networks’ Dennis Schwarz explains that Bolek is communicating with the C&C server via HTTP POST requests and that it uses encryption to secure the communication. The malware uses public key cryptography but does not employ RSA for its crypto needs, as other banking Trojans do. Instead, it uses elliptic curve cryptography, namely Curve25519 as a key exchange mechanism between host and server.

Advertisement. Scroll to continue reading.

“Two Curve25519 key pairs are created by the malware and the public keys are sent to the C2 server—one (mypublic) in the post_data_format structure and the other (mypublic2) in the data_header structure,” the researcher says. Data is encrypted using AES-128 encryption and HMAC-SHA1 is used to ensure the integrity of the encrypted data, Schwarz also explains.

According to the Arbor Networks researcher, the Bolek botnet they analyzed was focused on Russian banks and Bitcoin related sites, but the malware was also observed targeting users in Poland. Its infrastructure was also used in phishing campaigns against Canadian telecoms and online banking, as well as for the distribution of Android malware, but it’s unclear if the same actor operates all three.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.