New Banking Trojan Discovered Targeting Businesses' Financial Accounts

The infamous Zbot botnet that spreads the pervasive Zeus Trojan has been seen distributing a brand-new banking Trojan -- one that researchers say could serve as a lower-cost alternative to the popular Zeus and Clampi malware for cybercriminals.

The new Bugat Trojan, which was discovered by researchers at SecureWorks, appears to be aimed at mostly business customers of large and midsize banks. It's built for attacks that hack automated clearinghouse (ACH) and wire transfer transactions for check and payment processing -- attacks in which U.S.-based SMBs and state and local governments are losing an average of $100,000 to $200,000 per day, according to data from Neustar.

To date, Zeus and Clampi Trojans have mostly been used for stealing financial credentials. But Jason Milletary, security researcher with SecureWorks' Counter Threat Unit (CTU), says Bugat has some of the same features as other banking Trojans, but with a few twists: It uses an SSL-encrypted command and control (C&C) infrastructure via HTTP-S, and also goes after FTP and POP credentials via those encrypted sessions. Milletary says SecureWorks has witnessed around 1,200 to 3,000 Bogat attack attempts during the past week against its clients. "We saw in the wild that it was being distributed from a specific Zeus botnet," he says. "Oddly enough, its purpose is the same as Zeus ... but it's something not as recognizable as Zeus or that's cheaper [to purchase] in the long term."

Bugat's main targets so far are business financial accounts. "Small and medium-sized businesses get infected ... and then criminals utilize their [stolen] business credentials to initiate payments on wire transfers," he says.

Zeus, which is associated with Zbot botnet, has been notoriously difficult to kill. The powerful Trojan lets attackers wage man-in-the-browser attacks, where the victim is unaware that the attacker has hijacked his Web session, posing as a legitimate bank Website. There, the victim is duped into giving sensitive and valuable credentials and other information.

The Bugat Trojan has some similar attributes, including the ability to grab forms from Internet Explorer and Firefox browsers; steal and delete IE, Firefox, and Flash cookies; browse and upload files from the victim's machine; and download and execute code. It can also delete system files and reboot the infected machine so Windows is unable to boot up.

Because it uses SSL for its C&C pipe, it's more difficult to detect on the network. The botnet is also using the RC4 symmetric key stream cipher embedded in the malware, SecureWorks' Milletary says.

As of now, only about 20 of 51 antivirus scanners are able to detect the new banking Trojan, according to SecureWorks. Bugat's C&C Web server sends it commands and siphons the stolen information. The Trojan also gets a list of targeted URLs in order to monitor the victim's browsing. "These target strings indicate a strong interest in Websites used for business banking and wire transfers," Milletary said in a blog post late yesterday.

Bugat also appears to have some Russian roots: "There are certain indicators that it has Russian-speaking [connections]," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.