Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/9/2010
04:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Banking Trojan Discovered Targeting Businesses' Financial Accounts

Bugat Trojan spread via the Zbot/Zeus botnet, say SecureWorks researchers

The infamous Zbot botnet that spreads the pervasive Zeus Trojan has been seen distributing a brand-new banking Trojan -- one that researchers say could serve as a lower-cost alternative to the popular Zeus and Clampi malware for cybercriminals.

The new Bugat Trojan, which was discovered by researchers at SecureWorks, appears to be aimed at mostly business customers of large and midsize banks. It's built for attacks that hack automated clearinghouse (ACH) and wire transfer transactions for check and payment processing -- attacks in which U.S.-based SMBs and state and local governments are losing an average of $100,000 to $200,000 per day, according to data from Neustar.

To date, Zeus and Clampi Trojans have mostly been used for stealing financial credentials. But Jason Milletary, security researcher with SecureWorks' Counter Threat Unit (CTU), says Bugat has some of the same features as other banking Trojans, but with a few twists: It uses an SSL-encrypted command and control (C&C) infrastructure via HTTP-S, and also goes after FTP and POP credentials via those encrypted sessions. Milletary says SecureWorks has witnessed around 1,200 to 3,000 Bogat attack attempts during the past week against its clients. "We saw in the wild that it was being distributed from a specific Zeus botnet," he says. "Oddly enough, its purpose is the same as Zeus ... but it's something not as recognizable as Zeus or that's cheaper [to purchase] in the long term."

Bugat's main targets so far are business financial accounts. "Small and medium-sized businesses get infected ... and then criminals utilize their [stolen] business credentials to initiate payments on wire transfers," he says.

Zeus, which is associated with Zbot botnet, has been notoriously difficult to kill. The powerful Trojan lets attackers wage man-in-the-browser attacks, where the victim is unaware that the attacker has hijacked his Web session, posing as a legitimate bank Website. There, the victim is duped into giving sensitive and valuable credentials and other information.

The Bugat Trojan has some similar attributes, including the ability to grab forms from Internet Explorer and Firefox browsers; steal and delete IE, Firefox, and Flash cookies; browse and upload files from the victim's machine; and download and execute code. It can also delete system files and reboot the infected machine so Windows is unable to boot up.

Because it uses SSL for its C&C pipe, it's more difficult to detect on the network. The botnet is also using the RC4 symmetric key stream cipher embedded in the malware, SecureWorks' Milletary says.

As of now, only about 20 of 51 antivirus scanners are able to detect the new banking Trojan, according to SecureWorks. Bugat's C&C Web server sends it commands and siphons the stolen information. The Trojan also gets a list of targeted URLs in order to monitor the victim's browsing. "These target strings indicate a strong interest in Websites used for business banking and wire transfers," Milletary said in a blog post late yesterday.

Bugat also appears to have some Russian roots: "There are certain indicators that it has Russian-speaking [connections]," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.