Security researchers at BitDefender have identified an attack campaign that enlists multiple banking Trojans to help compromise bank account information.
The attack begins with malicious Java applets injected into Websites to target vulnerabilities in the Java Virtual Machine running on the user’s computer. The applet mimics the applet for Adobe Flash Player, and prompts the user to install a new version of the software. If the victim does, he or she will download a Trojan that in turn will hand them banking malware, explained Catalin Cosoi, chief security researcher at BitDefender.
The Trojan posing as Flash Player is written in Visual Basic and packed with UPX, and is saved in a writeable location on the user’s machine with the name temp_flash_file.phx, according to information uncovered by BitDefender Security Evangelist Bogdan Botezatu. From there, the malware downloads and installs a banker Trojan from a list of a dozen available links hardcoded in the downloader that lead to different pieces of financial malware – something which is atypical, as attackers tend to stick to a specific campaign, Cosoi told SecurityWeek.
To ensure automatic launch, the banker Trojan creates a shortcut to itself in “%Start Menu%\Programs\Startup” with an empty name with a “.lnk” extension. Each time the system starts, all programs with shortcuts added in that folder are automatically initiated as well – including the banking malware, according to the firm. Once the banking Trojan is on the system, it updates itself by downloading newer versions from a second list of links hiding out in different locations.
“Most of the time, [attackers] only use a couple of servers, which makes them vulnerable to shutdowns,” Cosoi said. “However, this Trojan looks for updates in much more locations on the Web than usual.”
What happens next is typical – the banking Trojan presents the user with a login form and asks them to fill it in. The data is then sent to a command and control server operated by the attackers.
Though BitDefender did not name any specific sites compromised as part of the campaign, Cosoi noted that some of the sites are ranked between the top 13,000 and 20,000 in terms of traffic. So far, the firm has not uncovered any evidence pointing to a particular gang, and researchers do not know how much money may have been stolen as part of the attack.