Ransom malware merged with bank Trojan in new attack

Fradusters combine 'Reveton' with Zeus successor Citadel

Adding injury to insult, fraudsters have merged the phenomenon of ransom Trojans with banking malware, producing a hybrid that demands money before attempting to steal user logins.

Noticed by several security firms since the turn of the year, the web drive-by Reveton Trojan tries to coax victims into handing over payments of up to $100 with the warning that they have been found accessing violent and child porn content by the US Department of Justice.

After locking up the PC to gain the user's attention (the sophistication of this is unclear), the malware demands payment using cash transfer services that vary according to the geography of the victim's IP address.

So far the Trojan behaves like one of a growing number of ransom Trojans that have spread across the Internet in the last year, almost certainly the work of the same small family of Russian gangs, according to a recent Trend Micro analysis.

Although not a new Trojan, Reveton's latest sting in the tail is that it now deploys the Citadel banking Trojan as a follow-up attack. A development of the notorious Zeus Trojan that ran amok across online bank websites in 2010, Citadel normally steals logins using man-in-the-browser and key-logging, but can also pilfer corporate logins if configured to do so.

"It is clear from this and similar attacks we have discovered recently that financial malware has achieved a technological level of sophistication which enables it to be used to carry out virtually any type of cyber-attack," said Amit Klein of browser security firm Trusteer.

Just as security defences are becoming more layered, so attackers are adopting the same design principle, combining different attacks into hybrids that can be varied by geography or the type of victim.

"Through a combination of social engineering, data capturing and communication tampering these attacks are being used by criminals to target applications, systems and networks belonging to financial institutions, enterprises, and government agencies," said Klein.

The primary ransom attack has been Detected by Microsoft as Trojan:Win32/Reveton.A since February. The malware's fusion with the Citadel Trojan, noticed by Trusteer, appears more recent.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies