Last October, CERTPolska reported detecting a new strain of malware called VBKlip that would change a bank account number to one controlled by the authors whenever a target copied a text that contained their bank account number to the clipboard, enabling them to steal the funds in the transaction.
Targets were infected by way of a targeted phishing campaign employing carefully crafted e-mail content designed to entice the recipient to open a tainted PDF attachment that contained a zip archivewith a Windows screen saver file.
New versions of the malware have been detected that does not require any network communications resulting in no network signatures being created, and employs no IP addresses or domain names. The malware also does not create any registry entries, and no system activity is detectable aside from the clipboard content replacement.
“This edition of VBKlip is very simple. First, it creates a Form, which has one of the dimensions set to zero. It also sets ShowInTaskbar to false, which leads to the malware not being visible in the system, unless users open the Task Manager,” CERTPolska reports.
Samples submitted to VirusTotal were not detectable by any of the over 45 different antivirus solutions, and did not even generate one single false positive
“This new version is written in .NET and has a few new ideas which seem to result in the fact that none of the three samples we were able to obtain were detected by any of the antivirus solutions present on VirusTotal. This is what makes this threat especially dangerous to the users.”
“VBKlip is a new kind of malware, which, due to its simplicity and previously unknown behavior makes it a serious threat. It is more difficult to detect by any network IDS/IPS systems, because it simply does not create any traffic to the C&C,” CERTPolska stated.
“Additionally, no antivirus detectability makes it even harder to fight with VBKlip. On the other hand, no persistence means that you simply can restart your computer and get rid of the unwanted behavior.”
So far, all variants that have been found are hardcoded for Polish bank accounts, but that may change in time.
Read More Here…