Security researchers at BitDefender have identified an attack campaign that enlists multiple banking Trojans to help compromise bank account information.
The attack begins with malicious Java applets injected into Websites to target vulnerabilities in the Java Virtual Machine running on the user’s computer. The applet mimics the applet for Adobe Flash Player, and prompts the user to install a new version of the software. If the victim does, he or she will download a Trojan that in turn will hand them banking malware, explained Catalin Cosoi, chief security researcher at BitDefender.
The Trojan posing as Flash Player is written in Visual Basic and packed with UPX, and is saved in a writeable location on the user’s machine with the name temp_flash_file.phx, according to information uncovered by BitDefender Security Evangelist Bogdan Botezatu. From there, the malware downloads and installs a banker Trojan from a list of a dozen available links hardcoded in the downloader that lead to different pieces of financial malware – something which is atypical, as attackers tend to stick to a specific campaign, Cosoi told SecurityWeek.
To ensure automatic launch, the banker Trojan creates a shortcut to itself in “%Start Menu%\Programs\Startup” with an empty name with a “.lnk” extension. Each time the system starts, all programs with shortcuts added in that folder are automatically initiated as well – including the banking malware, according to the firm. Once the banking Trojan is on the system, it updates itself by downloading newer versions from a second list of links hiding out in different locations.
“Most of the time, [attackers] only use a couple of servers, which makes them vulnerable to shutdowns,” Cosoi said. “However, this Trojan looks for updates in much more locations on the Web than usual.”
What happens next is typical – the banking Trojan presents the user with a login form and asks them to fill it in. The data is then sent to a command and control server operated by the attackers.
Though BitDefender did not name any specific sites compromised as part of the campaign, Cosoi noted that some of the sites are ranked between the top 13,000 and 20,000 in terms of traffic. So far, the firm has not uncovered any evidence pointing to a particular gang, and researchers do not know how much money may have been stolen as part of the attack.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
