Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Jericho Botnet Targets Banks And Financial Institutions

Botnet operators seek to steal passwords and credentials for financial gain, Palo Alto Networks researchers say

An emerging botnet is taking aim at banks and financial institutions, according to researchers at Palo Alto Networks.

The botnet, dubbed Jericho, is a variant of well-known banking Trojans such as Jorik, the researchers say. Palo Alto Networks' Wildfire analysis engine has detected more than 42 unique but related banking botnet samples that are part of an ongoing criminal enterprise aimed at stealing passwords and login credentials for financial institutions, they say.

Disassembly of the samples revealed well more than 100 domains targeted by the malware, most of which belong to banking and financial sites.

"Jericho’s background is somewhat interesting," Palo Alto Networks reports. "Infections were delivered from Israeli IP space; however the engineering of the file appears to be of Romanian origin. And there was actually a connection between the two: the vast majority of the URLs used to deliver the malware ended in ierihon [dot] com, and Ierihon is the word for Jericho in Romanian."

Jericho demonstrates a number of behaviors that are designed for stealth, persistence, and avoidance of traditional signature-based approaches to malware detection, the researchers say.

"The malware is able to inject itself into the Windows logon to maintain persistence on the infected host after a reboot," Palo Alto Networks states. "What was a bit more interesting was just how efficient the malware was at injecting itself into valid applications such as Firefox, Chrome, Java, Outlook and Skype, and then repurpose their capabilities. This not only enables the malware to hide within approved applications during run time, but it also means that standard methods for observing Windows API calls are subverted. This allows for a more stealth presence in the system."

Using a combination of a stealthy program and piggybacking on common applications, Jericho has avoided the scrutiny of most antivirus vendors, the researchers said.

"Of the 42 samples analyzed by Palo Alto Networks, the top AV solutions only achieved a 3.2 percent detection rate on the day [of discovery]," Palo Alto Networks says. Twelve of the 42 signatures were not detected at all over a seven-day span.

"This trend seems to indicate that this particular criminal operation is cognizant of the AV coverage for their malware, and has established a delivery strategy that minimizes collection by AV vendors," the researchers say.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.
PUBLISHED: 2019-12-09
The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.
PUBLISHED: 2019-12-09
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
PUBLISHED: 2019-12-09
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
PUBLISHED: 2019-12-09
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.