The next step in Trojan-Spy.Banker evolution

Recently I’ve been doing research in a rather interesting Trojan-Spy.Banker case.
It’s a multi-stage attack and unlike anything I’ve seen before.

First a machine gets infected with a Trojan-Downloader which has some spy functionality. It installs itself by patching two system files – kernel32.dll and wininet.dll.

This Trojan transmits URLs visited by the user to a malicious web server.
If the Trojan detects HTTPS traffic being submitted to the web server, the server instructs the Trojan to download a file. Of course, this file is another Trojan, this time designed to capture the HTTPS traffic, most notable HTTPS traffic from online banking sites. After a while the server instructs the Trojan to download yet another file.And this file will be a dedicated banker Trojan which correspondsd to the bank the victim uses.

Using the HTTPS traffic logger enables cyber criminals to create a dedicated banker Trojan for specific banks. In short, the sophistication of this attack is frightening. It’s tailored for optimum efficiency and bypassing security products. I had hoped that we wouldn’t see this kind of attack at least until next year, but there’s no real predicting malware evolution.

Combatting these new threats is going to be a challenge for all involved parties.

The next step in Trojan-Spy.Banker evolution

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox