Connect with us

Hi, what are you looking for?


Malware & Threats

Ostap Backdoor Installs Banking Trojans, PoS Malware

A newly documented backdoor is being used by a threat group to install well-known banking Trojans, along with a point-of-sale (POS) malware dropper, Proofpoint security researchers warn.

A newly documented backdoor is being used by a threat group to install well-known banking Trojans, along with a point-of-sale (POS) malware dropper, Proofpoint security researchers warn.

Dubbed Ostap, the threat is a JScript backdoor that security researchers have associated with a Delphi dropper called MrWhite, which is used to check infected systems for POS malware and download some if none is found. The actors behind the duo, researchers say, make use of banking Trojans such as Dridex, Ursnif, and Tinba, as well as the POS threat known as AbaddonPOS (and the TinyLoader loader).

The adversary was observed focusing on financial services in countries such as Germany, Austria, and the United Kingdom, but targeting other verticals and countries as well. For distribution, the group used spam emails with malicious Microsoft Word documents attached to them, Proofpoint says.

The distribution campaigns associated with this actor weren’t too large, ranging from only a few targeted messages to several thousand broadly distributed emails. The observed messages were written in German and English, depending on where the intended victims were located.

The backdoor remains active on the infected computer after the malicious document has been closed, writes a copy of itself to the current user’s Startup folder for persistence, and also sends the computer name to the C&C server. Moreover, it can receive and run an executable payload or a script file (with “certutil”) from the C&C.

Typically, the malware is used to download an executable from the server, and that payload is either a banking Trojan (the Dridex botnet ID 3302 to target UK and French organizations, Ursnif ID 1068 to target Poland, or Tinba to target German and Austrian organizations), or the MrWhite malware. The backdoor’s operators, researchers say, rotate the payloads on a daily basis.

Written in Delphi, MrWhite was designed to compare the running process names on the infected machine against a hardcoded list. As soon as it finds a process of interest, it sends the entire process list to the C&C server, and then drops TinyLoader onto the machine.

Advertisement. Scroll to continue reading.

First, MrWhite sleeps for 120 seconds, after which it combines the hardcoded list of processes into a single string and reverses it. Next, a specific string is reversed (from ‘VSC OF/ tsilksat’ to ‘tasklist /FO CSV’), and the command executed to produce a list of running processes in a comma-separated format and to search the list for processes of interest. If one is found, the list is sent to the C&C over HTTPS.

“Three of the MrWhite samples analyzed for this research dropped and executed an embedded TinyLoader immediately after sending the tasklist to the C&C. All of these samples dropped exactly the same instance of TinyLoader; however a different filename was used in each: ‘000.exe’, ‘001.exe’, and ‘5678987654.exe’,” Proofpoint researchers say.

Although TinyLoader wasn’t observed receiving any commands to download additional payloads, the malware was previously associated with the AbaddonPOS, and a recent payload was found to communicate to the same IP as the TinyLoader dropped by MrWhite. The AbaddonPOS malware searchers for credit card data on the infected machine and then exfiltrates the data to the C&C, encoding it using previously analyzed encoding techniques. However, the second XOR key used by this instance is the same as the IP address.

“Threat actors are constantly exploring new approaches to delivering and monetizing malware. In this case, a new group is using an undocumented backdoor and a new loader to deliver familiar banking Trojans and POS malware. By introducing new malware variants, both of which drop payloads that are often caught by existing defenses, the actor group makes detection more difficult and makes it easier to swap out final payloads,” Proofpoint says.

Related: Dyre Authors Apparently Working on New Banking Trojan

Related: PoS Malware Activity Spiked on Thanksgiving: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...