Recently I’ve been doing research in a rather interesting Trojan-Spy.Banker case.
It’s a multi-stage attack and unlike anything I’ve seen before.
First a machine gets infected with a Trojan-Downloader which has some spy functionality. It installs itself by patching two system files – kernel32.dll and wininet.dll.
This Trojan transmits URLs visited by the user to a malicious web server.
If the Trojan detects HTTPS traffic being submitted to the web server, the server instructs the Trojan to download a file. Of course, this file is another Trojan, this time designed to capture the HTTPS traffic, most notable HTTPS traffic from online banking sites. After a while the server instructs the Trojan to download yet another file.And this file will be a dedicated banker Trojan which correspondsd to the bank the victim uses.
Using the HTTPS traffic logger enables cyber criminals to create a dedicated banker Trojan for specific banks. In short, the sophistication of this attack is frightening. It’s tailored for optimum efficiency and bypassing security products. I had hoped that we wouldn’t see this kind of attack at least until next year, but there’s no real predicting malware evolution.
Combatting these new threats is going to be a challenge for all involved parties.
The next step in Trojan-Spy.Banker evolution