Banking Blitzkrieg: Still a Threat

McAfee Says Prinimalka Trojan Attacks Quietly Continuing
Banking Blitzkrieg: Still a Threat

Although a coordinated blitzkrieg-like malware attack expected to strike 30 U.S. banking institutions this spring has so far apparently failed to materialize, one security expert says banks should nevertheless remain vigilant in their detection and defenses.

See Also: Ransomware: The Look at Future Trends

Operation Blitzkrieg, identified in October by security firm RSA, remains alive and well, says Ryan Sherstobitoff, a researcher at McAfee.

Sherstobitoff says attacks against U.S. banks using Gozi Prinimalka, the Trojan behind the planned blitzkrieg, are quietly continuing, with the most recent infection discovered April 4.

Now the concern is that attacks tied to Blitzkrieg will go undetected because banking institutions are distracted by ongoing distributed-denial-of-service attacks waged against them by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters, he says.

Banking institutions must guard against ignoring the threat that Gozi Prinimalka poses, Sherstobitoff says. As DDoS attacks strike, fraudsters not related to the hacktivists could take advantage of distracted and strained IT and security systems and departments, he warns.

"The last variant of Gozi Prinimalka we saw in the wild that was new was in December 2012," Sherstobitoff says. "But they can take Prinimalka and just repackage it, which means it can get by existing anti-virus systems undetected."

With a simple modification of Prinimalka's binary code, the Trojan becomes an unknown sample to most anti-virus software, he says. So banking institutions need remain vigilant, keep anti-virus software up-to-date and know that Project Blitzkrieg is an ongoing campaign.

"I don't think they're going to launch it in that exact format, which was advertised in the fall, with a massive attack against banks," Sherstobitoff says. "I think there has been and will be a more silent execution of attacks."

Updates about the attacks and the campaign to recruit botmasters are no longer appearing in underground forums, he says. Researchers at RSA also said they had not seen any new information about the blitzkrieg campaign. But since McAfee's systems are continuing to track incidents, Sherstobitoff knows the absence of posts in forums is not an indication that the attacks have stopped.

Spring 2013 Attacks

On Oct. 4, 2012, RSA discovered a new type of malware that closely resembled the legacy man-in-the-middle Trojan known as Gozi. The new Trojan, aimed at 30 U.S. banking institutions, would give hackers the ability to manually set up fraudulent wire transfers in real time, RSA said.

RSA also noted that 100 botmasters were being recruited to help carry out the coordinated attack.

But as time went on, some experts questioned the attack, as well as the motives of its coordinator, a hacker known as vorVzakone, namely because of his public and open recruitment of botmasters, Sherstobitoff told BankInfoSecurity in December.

McAfee, RSA and other security firms, including Trend Micro, subsequently confirmed the legitimacy of the attack. In mid-October, Trend Micro named 26 U.S. institutions it had identified as targets, based on configurations contained in Gozi Prinimalka's code.

In January, federal authorities unsealed the indictments of Nikita Kuzmin, a Russian who created the Gozi virus, and two alleged co-conspirators.

Sherstobitoff at time said the arrests could prove damaging to Blitzkrieg. But ongoing research suggests Gozi Prinimalka attacks linked to Blitzkrieg are alive and well, he now says.

The McAfee researcher will not reveal which banking institutions have been affected by the Trojan so far or how many of those have suffered losses tied to the attacks. But he warns the attacks are continuing.

"We are set up to look for new Prinimalka campaigns, and the telemetry is showing that the most recent infection was just a week ago," he says.

The greatest fear now is that Blitzkrieg attacks are piggy-backing on the DDoS attacks, Sherstobitoff says.

"They could be attacking and hiding in the shadows," he says. "From a conservative figure, we found 500 [PCs] infected [with Prinimalka], but other research suggests it's more like tens of thousands infected. Why would vorVzakone just disappear and give up a successful campaign? There are more attacks going on, They're just more silent, selectively infecting people over a longer period of time."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network