Now on Demand: CISO Forum Virtual Summit - All Sessions Available to Watch Instantly
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Trojan Targets Nearly 140 Financial Institutions Worldwide

A newly-discovered malware plug-in for the Cridex Trojan has a database of 137 banks and financial institutions around the globe that are on the attackers’ menus, according to research from M86 Security.

A newly-discovered malware plug-in for the Cridex Trojan has a database of 137 banks and financial institutions around the globe that are on the attackers’ menus, according to research from M86 Security.

The security firm posted findings a few weeks ago that cyber-criminals had compromised hundreds of WordPress-based sites. The attacks spread via emails with malicious links or HTML attachments leading to compromised sites infected with the Phoenix exploit kit.

“After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine,” blogged Daniel Chechik, a researcher with M86. “The downloaded Trojan is recognized by antivirus vendors under several names such as Cridex, Carperb and Dapato. Antivirus detection is quite low and only ten out of 43 antivirus scanners in VirusTotal can detect it.”

Once the Trojan finds a live proxy, it connects to the command and control server and downloads a customized configuration from the attackers, he explained. Currently, the cybercriminals are currently running multiple botnets with over 25,000 infected machines.

Cridex is of course one of many banking Trojans targeting users. Last week, researchers from Symantec shared information on a variant of the Zeus Trojan that uses peer-to-peer technology to communicate – negating, or at least reducing, the need for a central command-and-control server that can be targeted by security companies or researchers.

“This Trojan’s capability is basically similar to Zeus and SpyEye,” he blogged. “It collects information from the user’s machine and sends it to the C&C server. This information can include, for example, cookies, FTP credentials and email accounts.”

“The cybercriminals can track specific Web sites that are accessed by the user by taking screenshots of every page the user accessed in real time,” he continued. “They can also blacklist URLs, redirect URLs and more. Same as with the Zeus Trojan, the administrators can supply a code to be injected into Web pages. The Cridex Trojan intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet. This way the cybercriminal can trick the user to enter valuable information the cybercriminal is looking for, without raising suspicion.”

Chechik did not name the specific banks being targeted.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.