Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Multi-Stage Attack Campaign Targets Financial Information

Security researchers at BitDefender have identified an attack campaign that enlists multiple banking Trojans to help compromise bank account information.

Security researchers at BitDefender have identified an attack campaign that enlists multiple banking Trojans to help compromise bank account information.

The attack begins with malicious Java applets injected into Websites to target vulnerabilities in the Java Virtual Machine running on the user’s computer. The applet mimics the applet for Adobe Flash Player, and prompts the user to install a new version of the software. If the victim does, he or she will download a Trojan that in turn will hand them banking malware, explained Catalin Cosoi, chief security researcher at BitDefender.

The Trojan posing as Flash Player is written in Visual Basic and packed with UPX, and is saved in a writeable location on the user’s machine with the name temp_flash_file.phx, according to information uncovered by BitDefender Security Evangelist Bogdan Botezatu. From there, the malware downloads and installs a banker Trojan from a list of a dozen available links hardcoded in the downloader that lead to different pieces of financial malware – something which is atypical, as attackers tend to stick to a specific campaign, Cosoi told SecurityWeek.

To ensure automatic launch, the banker Trojan creates a shortcut to itself in “%Start Menu%\Programs\Startup” with an empty name with a “.lnk” extension. Each time the system starts, all programs with shortcuts added in that folder are automatically initiated as well – including the banking malware, according to the firm. Once the banking Trojan is on the system, it updates itself by downloading newer versions from a second list of links hiding out in different locations.

“Most of the time, [attackers] only use a couple of servers, which makes them vulnerable to shutdowns,” Cosoi said. “However, this Trojan looks for updates in much more locations on the Web than usual.”

What happens next is typical – the banking Trojan presents the user with a login form and asks them to fill it in. The data is then sent to a command and control server operated by the attackers.

Though BitDefender did not name any specific sites compromised as part of the campaign, Cosoi noted that some of the sites are ranked between the top 13,000 and 20,000 in terms of traffic. So far, the firm has not uncovered any evidence pointing to a particular gang, and researchers do not know how much money may have been stolen as part of the attack.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.