Banking Malware: New Challenger to Zeus?

Pandemiya Trojan Could Invigorate Commercial Malware Market

By Mathew J. Schwartz, July 2, 2014.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Daniel Cohen of RSA
Daniel Cohen of RSA

The developer behind a new banking Trojan is making an unusual offer: Discerning fraudsters can purchase his financial malware toolkit for just $1,500 - or $2,000 with all bells and whistles included.

See Also: The Enterprise at Risk: The 2015 State of Mobility Security

So goes the pitch for "Pandemiya," a new financial crimeware offering from a developer known as "Synthetic," which is notable for having been coded completely from scratch. But the malware is less remarkable for its technical capabilities than for the fact that it's being offered for sale by its developer as a standalone crimeware pack product. By comparison, other products are either available for free - most are based on the leaked Zeus source code - or can only be rented via subscription services.

"There is no commercial malware," Daniel Cohen, a fraud expert at RSA, tells Information Security Media Group. "Back in the days of Zeus - 2010, 2011 - there was commercial malware. So, [Synthetic] might be trying to fill that void, by offering service and support, expansion modules and everything that goes with commercial malware."

Pandemiya offers a number of must-have financial malware features, including Web injection capabilities for three different browsers - meaning attackers can interact with banking websites when a user is logged in, but present an interface that obscures malicious activities - plus password-grabbers, task automation, a file grabber, encrypted command-and-control (a.k.a. C&C, C2) communications, and the ability to capture screen grabs. Malware generated using the crimeware package can also be signed, to help prevent it from being hijacked by other fraudsters, or analyzed by information security experts or law enforcement agencies.

For $500 more, however, Synthetic also offers a PE infector to execute malicious routines when an infected Windows system starts up, as well as a reverse proxy and FTP credential stealer.

Commercial Malware: Untapped Market

Given all of the talk of banking malware today, it might sound surprising that very little of it is being offered for direct sale, for example as a consumer might purchase a copy of Microsoft Word or Excel from Amazon.com, albeit in this case more likely from the Russian-speaking hacking underground site that accepts payment online in bitcoins or some other cryptocurrency.

In part, that's because the market has been flooded with clones. "Because there were so many derivatives of Zeus, and so widely available - even free or close to free - some people were just taking what they could get and running with that," says Cohen.

Trace the decline in commercial malware, too, to top crimeware kit developers having been arrested, including the alleged Blackhole mastermind "Paunch" and the developer behind SpyEye. Also factor in ongoing botnet takedowns (see Cryptolocker/Gameover takedown).

2012: Citadel Heyday

In fact, there have been few new-malware success stories in the past couple of years. One exception is the malware-as-a-service offering Citadel, for which business boomed throughout 2012. By the end of that year, however, the gang behind Citadel went quiet, stopped offering support, and ended up being banned from the single forum on which it was being offered.

"But we're still seeing the development of Citadel, new versions coming out, so it's safe to say the team is hard at work developing Citadel, but they're not so much selling it commercially," says Cohen. Instead, it's more likely that Citadel's developers are running their own attacks, and thus keeping their entire operation in-house, which makes it harder for law enforcement agencies to infiltrate or disrupt. Security researchers have also seen signs of the Citadel gang loaning their attack infrastructure to other cybercrime gangs.

2013: Linux Malware Dud

Since Citadel, however, little has changed on the banking malware front. According to Cohen, "2013 was really the year of 'Teenage Mutant Ninja Trojans,' we saw a lot of teenage stuff, script-kiddy stuff trying to happen - like Hand of Thief, which was banking malware that was supposed to target Linux operating systems, and that was a dud."

Follow Mathew J. Schwartz on Twitter: @euroinfosec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Sally Beauty Confirms Second Breach

After recently announcing an investigation, Sally Beauty Supply now confirms that it has...

Latest Tweets and Mentions

ARTICLE Sally Beauty Confirms Second Breach

After recently announcing an investigation, Sally Beauty Supply now confirms that it has...

The ISMG Network