Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Discover ‘Hesperbot’ – A New and Potent Banking Trojan

“Hesperbot” is an Entirely New Banking Malware Family With Advanced Features, Currently Targeting Users In Turkey, The Czech Republic, Portugal and the UK.

“Hesperbot” is an Entirely New Banking Malware Family With Advanced Features, Currently Targeting Users In Turkey, The Czech Republic, Portugal and the UK.

Researchers from ESET have uncovered what they are calling a new “Zeus-like Trojan” that is a completely new malware family, but one that packs powerful data-stealing capabilities found in other well-established malware. According to the researchers, the threat is currently targeting online banking users mainly in Turkey, The Czech Republic, Portugal and the United Kingdom.

Malware Named “Hesperbot” and detected as “Win32/Spy.Hesperbot” by ESET, despite being a new kind of malware, the security firm is calling it a “potent banking Trojan” that features capabilities, including keystroke logging, screenshot and video capture, and even the ability to setup a remote proxy and create a hidden VNC server on the infected system.

“Analysis of the threat revealed that we were dealing with a banking trojan, with similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known Trojan,” Robert Lipovsky, a malware researcher at ESET, explained in a blog post.

The attackers are using “credible-looking phishing-like campaigns” leveraging trusted brands in order spread the malware, ESET said.

Interestingly, the attackers behind the malware are also attempting to get users to install a mobile component of the malware on their Symbian, Blackberry or Android mobile device. ESET researchers also discovered a component (Win32/Spy.Agent.OEC) used by Hesperbot that harvests e-mail addresses from infected systems and sends them to a remote server.

The configuration files used by the malware’s HTTP interception and injection module specify which online banking websites are to be targeted by each botnet, ESET explained.

Hesperbot Malware Screenshot

List of Czech Banks Targeted by Hesperbot

According to recent research from Terry Nelms, a researcher at Damballa, 80% of current malware leverages HTTP as the primary access point to corporate networks.

“The Czech malware-spreading campaign started on August 8, 2013,” Lipovsky noted, also saying that the attackers registered the domain, a similar domain to the real website of the Czech Postal Service,

“It’s probably not surprising that the attackers tried to lure potential victims into opening the malware by sending emails which looked as parcel tracking information from the Postal Service,” Lipovsky said.

In a clever move, the attackers set the fake domain to redirect to the “real website” when opened directly in a web browser.

According to ESET, the country most affected by Hesperbot is currently Turkey, which ESET has found detections in dating priot to August 8.

“Recent peaks in botnet activity were observed in Turkey in July 2013, but we have also found older samples that go back at least as far back as April 2013,” Lipovsky continued. “During the analysis of the samples we found that they were sending debugging information to the C&C – an indicator that these variants were in the early stages of development.”

In the case of the Turkish and Portuguese botnets, ESET noted, the configuration files included HTML web-injects that the malware would insert into the banks’ web-pages when viewed on the infected PC. However, Web-injects were not seen in the Czech configuration file.

“Like many other malware families, Win32/Spy.Hesperbot has a modular architecture,” ESET explained in a separate research document. “As the first step in infection, the victim downloads and runs a dropper component. The dropper is also protected by a custom malware packer and distributed in a ZIP archive.”

ESET explained that the dropper’s role is to inject the main component – ‘core’ – into explorer.exe. The core then downloads and loads additional modules used to carry out malicious actions as detailed in the chart below.

Hesperbot Malware

Overall, it’s unclear how many users may have been infected by this new threat, but according to ESET, victims in the Czech Republic have lost “significant amounts of money” at the hands of Hesperbot, with the possibility of similar fate with victims in Turkey and Portugal.

ESET also discovered a variant designed to target users in the United Kingdom, but did not share additional details.

Hesperbot is not the only emerging threat working its way into users’ systems. In late July, another new professional-grade banking Trojan was uncovered that RSA researchers said could soon rival Zeus, SpyEye and Citadel in how effectively it spreads. Dubbed KINS, the banking Trojan has several features in common with Zeus and SpyEye, as well as having a similar DLL-plugin-based architecture.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.