New banking malware spotted with Phishing attack

Armed with new tools, criminals have moved from Dropbox to Cubby

credit card caught on a fishing hook concept for addiction to spending with credit or phishing 9178
Credit: Thinkstock

Researchers have discovered a previously unknown banking Trojan attached to an active Phishing campaign that started earlier this month.

The Phishing campaign in question was discovered by researchers at PhishMe. Initially, those responsible hosted malware on Dropbox accounts and pointed victims to the files using a number of Phishing lures, including fax reports, business complaint notices, fake invoices, and payment advice notices.

Since the initial reports, the campaign has shifted gears and started using Cubby, a cloud-based file hosting service (similar to Dropbox) maintained by LogMeIn to host files.

However, that isn't the only change. According to researchers, the campaign is delivering a banking Trojan that was previously unknown, and there's evidence that the change-up has been successful.

Ronnie Tokazowski, senior researcher at PhishMe, says the new malware not only bypasses SSL within Firefox, Chrome, and Internet Explorer (using hooks), it also targets RBS, Citibank, Bank of America, Natwest, and Ulsterbank.

Browser hooking is an effective technique used by banking malware, as it allows an attacker to bypass the normal protections offered by SSL (it redirects in the background), while the user sees nothing out of the ordinary.

"By using a sleight of hand, the attackers make it appear that you’re still on the website and working as HTTPS. In reality your traffic is redirected to the attacker's page," Tokazowski noted.

Researchers at CSIS added to this detail, noting that by hooking the browser, the attackers are able to act as a man-in-the-middle, and control all traffic that moves to and from the infected system. In addition to directing the victim to a website they control, the attackers can also use this process in an attempt to circumvent two-factor authentication.

"Our [intelligence] shows that the group behind these attacks is likely to push/distribute a new campaign as a "Flash Player update. Still it's unclear if this is provided as a 'Crime as a Service' or if it's a full circle criminal outfit. We believe this is a new banker Trojan family and not yet another offspring from the Zeus source code," a CSIS blog on the Phishing emails added.

Anti-Virus firms initially had low detection levels based on signatures alone (though most were able to catch the malware in other ways), but that changed late in the day on Monday. Currently, a majority of the anti-Virus firms will detect the new Trojan upon access.

During the Dropbox phase of the campaign, which focused on Ransomware, it's been suggested that the attackers potentially infected some 350,000 systems, earning upwards of $62,000 USD in ransom payments. Even if half of the infected systems are security researchers, that's still a high number of victims for a single Phishing campaign.

A report from OpenDNS shows that traffic has jumped, as far as the malicious URLs used in this latest campaign are concerned. In one example, traffic to rouge Bank of America domain climbed 55 percent in just a few days, based on a sample equal to about 2-4 percent of the Web's traffic.

Such success isn't shocking.

A recent study from IBM says that 95 percent of all attacks against an organization involved some type of human error, such as an employee clicking on a malicious link or opening a malicious attachment. Expanding that metric to include users at home isn't a stretch; in fact the numbers are likely to increase.

In the meantime, organizations can protect themselves by blocking the following IPs and encouraging users to avoid questionable emails, especially if they relate to invoices and taxes.

85.25.148.6

217.12.207.151

192.99.6.61

Additionally, one of the indicators of compromise in this attack are a series of double POST events within a short amount of time, something that an IDS can be configured to watch for.

Traffic to Cubby could also be an indicator, especially if the service is a rarity on the network, as well as downloads of ZIP files named "documents" or "invoice."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.