New Trojan Attacks Clients At Four Worldwide Banks

"It's actually some state of the art banking fraud code. I was very surprised at how sophisticated it was," said Don Jackson, senior security researcher for SecureWorks, who discovered the original Trojan in June. "This is going a step further. It's an evolution of the man-in-the-middle, post authentication attacks. This one takes all the steps a user would take."

Unlike other forms of the Prg Trojan, this new variant of malware is specifically designed to commit banking fraud, security experts say. "What makes this stand out is that it's a variant," said Derek Manky, security research engineer at Fortinet. "It has been around for a while. But (the attackers) are refining this. They're trying to make it better."

Hackers are wasting no time in using the new malware to target 20 of the leading banks in the U.S., U.K. Spain and Italy. Researchers have determined that the banking variant has been designed and is being used by the Russian UpLevel hacking group and some German affiliates, who are staging their attacks from data centers in Moscow, Russia and Mumbai, India.

The attack takes a two-pronged approach, security researches say. The hackers initially infect their victims through malicious links embedded in e-mails and via IFRAMES found on specialty Web sites, which in turn, lead to the first generic, info-stealing Trojan. Once infected, everything the victims enters into their browser is retrieved and sent to a server.

Hackers then comb through the copious amounts of data that is collected, looking for signs of large-scale commercial bank transactions. Once suitable victims are found, they are targeted with a well-crafted spear phishing e-mail that alleges to be from their bank. Phony e-mails in the past have claimed to offer a new soft token, or client certificate they must use in order to continue their commercial banking.

Once the prg Trojan is downloaded, it will communicate back to the command and controller that it is installed and ready to receive new code. The infected computer communicates to the attackers exactly which bank the victim has an account with, and then subsequently feeds code to the victim's computer that tells the Trojan how to simulate actual online transactions, such as wire transfers or bill payment, specific to that particular financial institution.

The Trojan then alerts its creators when online banking transactions begin, enabling them to piggyback in on the session and compromise the commercial account without having to access the victim's user name or password.

"It's so advanced, there's not even a pattern. There're no signatures for it," said Jackson. "This specific variant has turned off the information stealing part. It's turned off so that we don't see it talking on the network."

To avoid the bank's fraud alerts, the Trojan simulates keystrokes and visits all of the bank's Web pages in order, as an actual banking client would do while conducting a financial transaction. The malware also allows for changes if the hackers need to designate a new account number for the stolen revenue, without having to completely reconfigure the Prg Trojan.

"We're seeing new methods of this (Trojan) evolving," said Manky, adding that if a user is not equipped with proper controls and software, "every Web site you go to, you're vulnerable to these types of exploits. They're obviously quite successful."

Security experts say that so far the hackers are following the money by solely targeting commercial enterprises. Since it was discovered in June, SecureWorks researchers have come across caches of stolen data that include social security numbers, bank account information and online payment accounts from at least 10,000 victims. Security researchers say that they are currently working with law enforcement agencies to track the Trojan's perpetrators.

"Businesses assume all of the responsibility," said Jackson. "But most of the times banks give the businesses back the money. Banks are also the victims because they choose to protect their customers. This Trojan can clean out their six-figure balance faster than anything else I've seen."

Security experts predict that future variants of this Trojan will likely be more Web based as spam filters become more sophisticated. Attackers will also find more advanced mechanisms to enhance their seeding.

"This is definitely not the last of this that we'll see," said Manky.