Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Carberp Successor Bolek Banking Trojan Emerges

The leaked source code of the Carberp Trojan has spawned numerous malware variations, and a new one has emerged showing increased sophistication.

The leaked source code of the Carberp Trojan has spawned numerous malware variations, and a new one has emerged showing increased sophistication.

The new Bolek banking Trojan is a polymorphic file malware that targets both 32-bit and 64-bit versions of Windows and can perform a broad variety of actions on the infected machines: it can perform web injections, traffic interception, can take screenshots, can execute keylogging functions, and can also steal login credentials from online banking applications.

What’s more, the malware can establish reverse RDP (Remote Desktop Protocol) connections (back connect). According to Doctor Web researchers, who say that the Trojan also inherits a series of characteristics from Trojan.PWS.Panda (Zeus), Bolek can launch a local SOCKS5 proxy server and HTTP server to perform CMD commands.

PhishMe security researchers, who say that Bolek is based on repurposed KBot source code from Carberp, also explain that the Trojan uses multiple tricks to hinder detection and analysis efforts. The malware employs clever import functionality and also leverages a complex methodology to ensure it gains persistence on the infected machine.

During infection, the Trojan abuses svchost.exe or winlogon.exe processes to execute operations. It also maintains certain runtime values in memory, including the command and control (C&C) domains, as well as some of the bot configurations. The malware stores the configuration data in JSON and can send a great deal of data to the C&C server, including versioning, file hashes, and installed applications.

Each time it is executed on the infected PC, the malware creates a randomly-named file folder in the Windows System32 directory and places three files in it. These files include a randomly-named .exe (a system app copied from system32), a .dll (imported by the exe at first runtime), and another file with a different, also random, file extension. The malware modifies the DLL by injecting malicious code into DllEntryPoint and other functions and leverages the legitimacy of the executable and its imported .dll for persistence.

Researchers also discovered that the malware can be configured to become a worm, which allows it to self-propagate from one machine to another. It also includes the ability to receive updates, meaning that its operators can easily shift tactics mid-campaign if they want to.

Arbor Networks’ Dennis Schwarz explains that Bolek is communicating with the C&C server via HTTP POST requests and that it uses encryption to secure the communication. The malware uses public key cryptography but does not employ RSA for its crypto needs, as other banking Trojans do. Instead, it uses elliptic curve cryptography, namely Curve25519 as a key exchange mechanism between host and server.

“Two Curve25519 key pairs are created by the malware and the public keys are sent to the C2 server—one (mypublic) in the post_data_format structure and the other (mypublic2) in the data_header structure,” the researcher says. Data is encrypted using AES-128 encryption and HMAC-SHA1 is used to ensure the integrity of the encrypted data, Schwarz also explains.

According to the Arbor Networks researcher, the Bolek botnet they analyzed was focused on Russian banks and Bitcoin related sites, but the malware was also observed targeting users in Poland. Its infrastructure was also used in phishing campaigns against Canadian telecoms and online banking, as well as for the distribution of Android malware, but it’s unclear if the same actor operates all three.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.