Banking Trojan Harvests Newspaper Readers Credentials

Financial malware performs brute-force guesses of valid usernames and passwords, possibly for attacks against consumer bank accounts.

Beware financial malware thats trying to harvest usernames and passwords from a major newspapers website.
That unusual warning comes by way of security firm ESET, which said its observed
financial malware
known variously as Gataka and Tatanga being used in four recent attack campaigns. Targets include banks in Germany and the Netherlands, as well as an attack thats trying to obtain accounts on a major U.S. newspapers website by performing brute-force guesses of usernames and their passwords, said Jean-Ian Boutin, a malware researcher at ESET. If this process is successful, the account information could possibly then be used to harvest private information or access paid content.
In all the campaigns, ESET observed the malware connecting with between three and ten different hacked Web pages, which served as proxies for the botnets
command-and-control (C&C) server
. Boutin estimated that the underlying
botnet
contained somewhere between 20,000 and 40,000 infected hosts, with the vast majority of compromised--or zombie--PCs located in Germany.
The Gataka malware itself was
first detailed by S21sec
in February 2011. The security firm dubbed the Trojan application, written in C++, as being rather sophisticated given its ability to hide on infected systems. It does that in part by downloading encrypted modules--in the form of DLL files--after it infects a system. According to S21sec, these modules or plug-ins offer additional functionality and are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software.
[ A two-year investigation ends in charges for 28 people for stealing financial and other personal information. Read about it at
FBI Busts Massive International Carding Ring
. ]
In fact, when only the main component is present, there is not much functionality available to the bot-master, said ESETs Boutin. In addition, the malware in many cases also downloaded HTTP injection configuration, providing customized attack capabilities for targeted sites.
S21sec has likened the malware, aimed at banks in Germany, Portugal, Spain, the United Kingdom, to
SpyEye
, noting that it can perform automatic transactions, retrieving the mules [the latest information on details of legitimate bank accounts used by criminals and their
money mules
to launder stolen funds] from a server, and spoofing the real balance and banking operations of the users.
Depending on the targeted bank, the Trojan can passively grab the credentials or ask for more in order to make the fraudulent transaction [succeed] in the user session, said S21sec. In some cases the requested credentials include the [over the phone] mobile key, meaning the malware can run a
social-engineering attack
to trick users into sharing a
one-time PIN
sent by their bank, to be used to authorize a transaction initiated by the malware.
Once the malware infects a system, it can also grab email addresses, detect and delete other installed malware--including
Zeus
--encrypt its communications with C&C servers, and record all HTTP traffic. To do that, a malware module known as Interceptor creates a proxy server on the local machine so that all outbound and inbound network traffic can be examined, according to ESET. In the case of HTTPS traffic, fake certificates--encrypted in the plug-in resources--are used between the client and the proxy server, ESET explained. The browser certificate checking functions are also patched, in an attempt to hide to the user that fake certificates are used.
The malware also offers both 32-bit and 64-bit support, defenses against
virtual machines
, blocks
Trusteer Rapport
in-browser security software from being downloaded, dumps online banking pages and sends them to the C&C server to facilitate future attacks, records lists of sites visited--and on designated sites, also video--and injects JavaScript into visited Web pages to launch man-in-the-browser (MitB) attack to try and
bypass SMS-based transaction authorizations
.
Gataka is compatible with nine browsers: Internet Explorer, Firefox, Chrome, Opera, Safari, Konqueror, Maxthon, Minefield, and Netscape.
Whoever is
behind the malware
also offers frequent updating. When communicating with the C&C, the client provides a list containing all its installed plug-ins and their versions, said Boutin. The server can then send updated or new plug-ins to the Trojan. In one of [Gatakas] campaigns that we followed, we observed updates to the main component every two to three days, while the plug-ins did not evolve significantly. These updates seemed to be mostly for evading detection by anti-malware software.
The malicious code highlights how when it comes to malware, would-be attackers have multiple options. Gataka might not be as widely deployed by bot masters as SpyEye or Zeus, but it can achieve similar goals, said Boutin. Will its modular and stable architecture attract more cyber thieves in the future? It would not be surprising, but only time will tell.
Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our
SIEM Success
report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Banking Trojan Harvests Newspaper Readers Credentials