cybersecurity

S21sec´s ecrime department has detected a “new” banking malware, which appears to be based on the well-know “URLZONE” malware code that was first detected in 2009.  Among the key features of this new malware, we highlight DGA (Domain Generation Algorithm) and ATS (Automated Transfer System) technology being used for fraudulent transactions.

We have confirmed that this malware appears to impact financial entities in a similar to other specific botnets of malware families like Tinba, Kins, Pykbot and Xswkit.  This means that they may be operated by the same criminal ring, using similar injects and hiring the ATS.

This botnet seems to only be targeting Spanish entities, though the use of this malware may end up targeting any other entity worldwide, following similar patterns of evolution to other malware.

In terms of its operation, It has been noted that, once infection has been carried out, HTML injection is used in real-time to cheat the infected user with social engineering, so the user is actually the one to perform the fraudulent transfer to a mule using an ATS system.

Communication to the control panel is achieved by “https”, through azlib-compressed configuration update that is downloaded; it is this update that contains the rules definition.

Email is one of main distribution methods for this malware.  S21sec has, for example, found a sample written in Catalan and with a “.pdf.zip” file attached. This is a compressed file that includes the malware.

S21sec will continue to provide updates on this botnet and any other botnet from this family.

S21sec ecrime.

URLZONE reloaded?

S21sec´s ecrime department has detected a "new" banking malware, which appears to be based on the well-know "URLZONE" malware code that was first detected in 2009.  Among the key features of this new malware, we highlight DGA (Domain Generation Algorithm)…

Leer más

Dridex, a year of online fraud

S21sec has played a key role in the effort to uncover the sophisticated Trojan, collaborating with international agencies such as the FBI, NCA, Spanish Guardia Civil and Europol.Dridex malware is a Trojan with multiple functionalities. Its activity is mainly based on…

Leer más

DYRE trojan targets Spain

Although just it has a few months old, the DYRE Trojan (aka Dyreza) is currently the busiest banking malware. Since early this year, the aggressive characteristics incorporated in the binary a fairly proactive gang has been added, working to increase its infrastructure  and monetization capacity. Progress has been noticed…

Leer más

New Ransomware in Mobile environment

It is widely known the new malware trend, which has caused several problems in the last year: the infamous Ransomware (Cryptowall, Cryptolocker and its derivatives). Although we have seen samples in the mobile environment (Koler), it was not common to find…

Leer más