Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:27 PM
Connect Directly

New Banking Trojan Discovered Targeting Businesses' Financial Accounts

Bugat Trojan spread via the Zbot/Zeus botnet, say SecureWorks researchers

The infamous Zbot botnet that spreads the pervasive Zeus Trojan has been seen distributing a brand-new banking Trojan -- one that researchers say could serve as a lower-cost alternative to the popular Zeus and Clampi malware for cybercriminals.

The new Bugat Trojan, which was discovered by researchers at SecureWorks, appears to be aimed at mostly business customers of large and midsize banks. It's built for attacks that hack automated clearinghouse (ACH) and wire transfer transactions for check and payment processing -- attacks in which U.S.-based SMBs and state and local governments are losing an average of $100,000 to $200,000 per day, according to data from Neustar.

To date, Zeus and Clampi Trojans have mostly been used for stealing financial credentials. But Jason Milletary, security researcher with SecureWorks' Counter Threat Unit (CTU), says Bugat has some of the same features as other banking Trojans, but with a few twists: It uses an SSL-encrypted command and control (C&C) infrastructure via HTTP-S, and also goes after FTP and POP credentials via those encrypted sessions. Milletary says SecureWorks has witnessed around 1,200 to 3,000 Bogat attack attempts during the past week against its clients. "We saw in the wild that it was being distributed from a specific Zeus botnet," he says. "Oddly enough, its purpose is the same as Zeus ... but it's something not as recognizable as Zeus or that's cheaper [to purchase] in the long term."

Bugat's main targets so far are business financial accounts. "Small and medium-sized businesses get infected ... and then criminals utilize their [stolen] business credentials to initiate payments on wire transfers," he says.

Zeus, which is associated with Zbot botnet, has been notoriously difficult to kill. The powerful Trojan lets attackers wage man-in-the-browser attacks, where the victim is unaware that the attacker has hijacked his Web session, posing as a legitimate bank Website. There, the victim is duped into giving sensitive and valuable credentials and other information.

The Bugat Trojan has some similar attributes, including the ability to grab forms from Internet Explorer and Firefox browsers; steal and delete IE, Firefox, and Flash cookies; browse and upload files from the victim's machine; and download and execute code. It can also delete system files and reboot the infected machine so Windows is unable to boot up.

Because it uses SSL for its C&C pipe, it's more difficult to detect on the network. The botnet is also using the RC4 symmetric key stream cipher embedded in the malware, SecureWorks' Milletary says.

As of now, only about 20 of 51 antivirus scanners are able to detect the new banking Trojan, according to SecureWorks. Bugat's C&C Web server sends it commands and siphons the stolen information. The Trojan also gets a list of targeted URLs in order to monitor the victim's browsing. "These target strings indicate a strong interest in Websites used for business banking and wire transfers," Milletary said in a blog post late yesterday.

Bugat also appears to have some Russian roots: "There are certain indicators that it has Russian-speaking [connections]," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.