S21sec´s ecrime department has detected a “new” banking malware, which appears to be based on the well-know “URLZONE” malware code that was first detected in 2009. Among the key features of this new malware, we highlight DGA (Domain Generation Algorithm) and ATS (Automated Transfer System) technology being used for fraudulent transactions.
We have confirmed that this malware appears to impact financial entities in a similar to other specific botnets of malware families like Tinba, Kins, Pykbot and Xswkit. This means that they may be operated by the same criminal ring, using similar injects and hiring the ATS.
This botnet seems to only be targeting Spanish entities, though the use of this malware may end up targeting any other entity worldwide, following similar patterns of evolution to other malware.
In terms of its operation, It has been noted that, once infection has been carried out, HTML injection is used in real-time to cheat the infected user with social engineering, so the user is actually the one to perform the fraudulent transfer to a mule using an ATS system.
Communication to the control panel is achieved by “https”, through azlib-compressed configuration update that is downloaded; it is this update that contains the rules definition.
Email is one of main distribution methods for this malware. S21sec has, for example, found a sample written in Catalan and with a “.pdf.zip” file attached. This is a compressed file that includes the malware.
S21sec will continue to provide updates on this botnet and any other botnet from this family.