Ecrime

S21sec´s ecrime department has detected a “new” banking malware, which appears to be based on the well-know “URLZONE” malware code that was first detected in 2009.  Among the key features of this new malware, we highlight DGA (Domain Generation Algorithm) and ATS (Automated Transfer System) technology being used for fraudulent transactions.

We have confirmed that this malware appears to impact financial entities in a similar to other specific botnets of malware families like Tinba, Kins, Pykbot and Xswkit.  This means that they may be operated by the same criminal ring, using similar injects and hiring the ATS.

This botnet seems to only be targeting Spanish entities, though the use of this malware may end up targeting any other entity worldwide, following similar patterns of evolution to other malware.

In terms of its operation, It has been noted that, once infection has been carried out, HTML injection is used in real-time to cheat the infected user with social engineering, so the user is actually the one to perform the fraudulent transfer to a mule using an ATS system.

Communication to the control panel is achieved by “https”, through azlib-compressed configuration update that is downloaded; it is this update that contains the rules definition.

Email is one of main distribution methods for this malware.  S21sec has, for example, found a sample written in Catalan and with a “.pdf.zip” file attached. This is a compressed file that includes the malware.

S21sec will continue to provide updates on this botnet and any other botnet from this family.

S21sec ecrime.

URLZONE reloaded?

S21sec´s ecrime department has detected a "new" banking malware, which appears to be based on the well-know "URLZONE" malware code that was first detected in 2009.  Among the key features of this new malware, we highlight DGA (Domain Generation Algorithm)…

Leer más

Dridex, a year of online fraud

S21sec has played a key role in the effort to uncover the sophisticated Trojan, collaborating with international agencies such as the FBI, NCA, Spanish Guardia Civil and Europol.Dridex malware is a Trojan with multiple functionalities. Its activity is mainly based on…

Leer más

New banking trojan 'Slave' hitting Polish Banks

We have spotted a new banking trojan in the wild that uses JSON formatted webinjects. After that so many Zeus-like webinjects around, this was kind of refreshing. Currently this banker only have targets in Poland. We are analyzing injects, as…

Leer más

Source Seattle 2011

Some days ago, Source Seattle (USA) took place. It is the first time it has taken place in Seattle and although the attendance couldn’t match the Boston conference, the atmosphere was magnificent. It began on Tuesday the 14th with an…

Leer más

Tatanga: a new banking trojan with MitB functions

Recently our e-crime unit has detected a new banking trojan, named as Tatanga, with Man in the Browser (MitB) functions affecting banks in Spain, United Kingdom, Germany and Portugal. Like SpyEye, it can perform automatic transactions, retrieving the mules from…

Leer más

ZeuS spreading via Facebook

ZeuS is still the talk of the town. It's downloaded through fake antivirus, downloaders and several exploit kits. Of course, the best-known social networking site couldn't be out of this. Last week we could see some Facebook messages like the…

Leer más

New ZeuS binary

The evolution continues. Some days ago a new ZeuS binary appeared with the version number 1.3.0.26. This new development is an attempt to improve the stealth techniques used to date, as stated in one of the TODO files found some…

Leer más

Detecting ZeuS

We have been talking some time ago about our dear friend, almost one more colleague: ZeuS. It is a malware with more than 3 years of life which continues changing and evolving to hide itself better and making the fraud…

Leer más