New Banking Trojan Targets Online Accounts

Add 'Bugat' to List of Malware Focus on ACH, Wire Transfers
New Banking Trojan Targets Online Accounts
An Atlanta-based security research firm has discovered a new banking Trojan that can be added to the growing list of malware targeting ACH and wire payments.

The Counter Threat Unit at SecureWorks is calling this new malware "Bugat," and it is capable of capturing information entered in web forms, altering the content of targeted websites or stealing browser cookies, as well as FTP and POP3 credentials.

Add Bugat to the malware roster with the Zeus Trojan and Clampi, which already have been identified as being used to steal banking credentials from small to medium businesses in recent months.

In 2009, the number of mid-sized businesses hit with ACH fraud grew exponentially, leading banking regulators and ACH associations to send out alerts to the financial services industry. Most recently a town in New York had hundreds of thousands of dollars taken by hackers via fraudulent ACH transactions.

What Can Bugat Do?

According to Jason Milletary, SecureWorks' technical director for malware analysis, Bugat can function as a SOCKS proxy server, upload files from the infected computer to a remote server or download and execute programs.

How it operates: the Bugat Trojan communicates with a command and control server from where it receives instructions and updates to the list of financial websites it targets. This communication can be encrypted in order to thwart traffic inspection tools.

"The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals," Milletary writes in a SecureWorks blog entry. By mid-January, the new malware already had updated its configuration data to include new financial targets, and the installer for Bugat had moderate coverage, Milletary says. It also had almost no anti-virus recognition. He adds that Bugat comes with capabilities commonly found in malware used to commit credential theft for financial fraud.

"These targets strings indicate a strong interest in websites used for business banking and wire transfers. Bugat may also use HTTPS in an attempt to secure its command and control communications," he says.

Bugat joins the growing list of malware targeting financial institution customers. Recently, security vendor Symantec warned of a new Zeus-like crimeware toolkit called SpyEye. Even worse is the news that only about 50 percent of these types of malware are detected by up-to-date anti-virus software. The number of computers already infected with banking Trojans is not fully known, but Uri Rivner, a security researcher at RSA's Israel security center, predicts that the estimated number of computers infected with the Zeus Trojan of 3 million worldwide, "is more likely near 9 to 10 million."

See Also: ACH Fraud: 7 Tips for Secure Transactions

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.