Skip to content ↓ | Skip to navigation ↓

Researchers at CSIS have identified a powerful new strain of banking malware based on ZeuS source code that is known to be targeting major banks including Bank of America, Natwest, Citibank, RBS, and Ulsterbank, to name just a few.

“The code is designed to work similar to ZeuS and as most online banking threats it supports browser hooking for Internet Explorer, Chrome and Firefox and harvests data at any point an infected user connects to the targets specified in the malware,” wrote CSIS’s Peter Kruse.

The Dyreza malware is being distributed through spam email campaigns employing a variety of inducements to lure targets into opening a tainted attachment which infects the system upon opening, and includes some advanced evasion capabilities.

“Next up, it connects to the C&C server with a GET request e.g. GET /cho1017/[%unique ID%] and with the browser agent string: ‘Wget/1.9’. The binary code is packed with a cryptor to avoid AV detection and to trouble analysis,” Kruse said.

“Whenever this code is executed, it will beacon back to it’s C&Cs. We managed to locate several of these and even obtained access to parts of the server which revealed a customized ‘money mule’ panel with several accounts in Riga, Latvia.”

The attackers use a MiTM (Man in The Middle) technique to control the traffic flow from infected systems which allows them to read all data transmissions, even those that are thought to be encrypted by SSL, and also allows them to circumvent two-factor authentication precautions.

Read More Here…