Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Trojan Targets Nearly 140 Financial Institutions Worldwide

A newly-discovered malware plug-in for the Cridex Trojan has a database of 137 banks and financial institutions around the globe that are on the attackers’ menus, according to research from M86 Security.

A newly-discovered malware plug-in for the Cridex Trojan has a database of 137 banks and financial institutions around the globe that are on the attackers’ menus, according to research from M86 Security.

The security firm posted findings a few weeks ago that cyber-criminals had compromised hundreds of WordPress-based sites. The attacks spread via emails with malicious links or HTML attachments leading to compromised sites infected with the Phoenix exploit kit.

“After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine,” blogged Daniel Chechik, a researcher with M86. “The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carperb and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.”

Once the Trojan finds a live proxy, it connects to the command and control server and downloads a customized configuration from the attackers, he explained. Currently, the cybercriminals are currently running multiple botnets with over 25,000 infected machines.

Cridex is of course one of many banking Trojans targeting users. Last week, researchers from Symantec shared information on a variant of the Zeus Trojan that uses peer-to-peer technology to communicate – negating, or at least reducing, the need for a central command-and-control server that can be targeted by security companies or researchers.

“This Trojan’s capability is basically similar to Zeus and SpyEye,” he blogged. “It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.”

“The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time,” he continued. “They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.”

Chechik did not name the specific banks being targeted.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...