Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM
Connect Directly

New Banking Malware Touts Zeus-Like Capabilities

Scylex malware built from scratch for financial theft, according to an ad in infamous underground forum.

Financial institutions could be in for more trouble of the Zeus-like variety if a new malware kit being promoted in an underground forum is any indication.

The new Scylex malware kit appears designed to enable financial crime on a large scale, a researcher from Heimdal Security of Denmark, said in an alert this week.

An advertisement on Lampeduza, a forum for buying and selling malware, touts Scylex as packing multiple functions including a user-mode root kit, web injects, and a secure socket reverse proxy, Heimdal researcher Andra Zaharia said. So far, there have been no instances of Scylex being actually used anywhere.

The base kit comes at a price tag of $7,500. Those willing to spring an extra $2,000 can get additional functionality such as secure socket support for directing data transfers between a user PC and a malicious server, via a proxy.

The malware kit is also being offered as a premium package for $10,000. For this price, a buyer will get a Hidden Virtual Network Computing (HVNC) module in addition to all of the features available in the other two kits, Zaharia said.

HVNC is a sought-after capability in banking Trojans and basically gives attackers a way to manipulate a victim’s computer remotely to access bank accounts without triggering any alerts.

The purchase price for the malware includes support for up to 8 hours a day and periodic software updates. A new kit that is under development will come with even more functions including capabilities for spreading via  social networks, a DDoS module, and reverse FTP.

“From the looks of it, cybercriminals are trying to engineer the next big thing in financial malware,” Zaharia cautioned. “Their ambition is to replicate the impact that Zeus GameOver had a few years ago,” she said.

The Zeus Trojan first surfaced around 2007 and is believed responsible for infecting tens of millions of computers and draining hundreds of millions of dollars from bank accounts worldwide. The operators of the Zeus Trojan abruptly stopped their campaign about five years ago and released the source code for the malware online prompting scores of me-too banking Trojan in the last few years based on Zeus code.

The authors of Scylex make it clear on their advertisement that the malware is not based on Zeus code. “It is a banking Trojan written 99% from scratch in C++,” they noted in the ad, a copy of which Heimdal posted on its site. “The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.”

The malware kit appears designed for those who have solid technical skills, but the authors have made clear that it is available to anyone interested in purchasing it.

This type of malware can usually be bought, with a lifetime license, like in the case of Scylex, or rented for a monthly fee, Zaharia told Dark Reading. The kits “include the malware, a dashboard where the attacker can tweak the settings and tech support,” she said. “Often, the malware comes preloaded with vulnerabilities and targets, but we couldn't say if this is the case or not for Scylex."

“The malware-as-a-service model has been growing in the past years, and with it the marketing efforts as well,” she said. “Since malware is now so readily available, malware creators have to differentiate themselves and present their offer with more transparency than before. Hence the conspicuous advertising.”

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/8/2016 | 9:46:45 AM
Identity theft
Nice article and informative read. Though what is mentioned in this article may sound like another data and identity theft case but actually inreality it is pretty concerning for the evry day users. Hackers are busy hacking the private and sensitive information and if companies of such stature and online security are not safe, I beg to say how can ordinary internet user be secure from these threats. I personally encrypt my files and folders even I do not let my close ones to access those as they are very personal. Also, while carrying out banking transactions and other card involving stuff like booking flights, I make sure to first secure my connection with a vpn server (I use PureVPN) and then carry out trabsactions to avoid any form of leak but that's just not me, everyone should startsecuring their online presence. 
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
A Patriotic Solution to the Cybersecurity Skills Shortage
Adam Benson, Senior VP, Vrge Strategies,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.