A new banking Trojan based on elements of the Zeus malware has been uncovered in the wild going after financial information.
The Trojan, according to security outfit Dr Web which claims to have found it, tries to induce infected PC users to spill their credentials by performing ‘web injects'. That is to say, the Trojan injects arbitrary content into all web pages browsed by the user, such as fake forms.
"Users don't usually notice the replacement because the resource's URL and design look the same, and the fake form or text is added to the page right on the infected computer," warns Dr Web.
"Banking Trojans can affect customers of many credit organisations because the Trojans get the web inject information directly from a command and control (C&C) server. If a user logs into a website whose address has already been added to the Trojan's configuration, Trojan.PWS.Sphinx.2 injects the content prepared by the cybercriminals."
Once launched, it injects itself into the Explorer (explorer.exe) running process and decrypts the loader body and the configuration file in which the C&C server's address and encryption key are hidden.
The Trojan has a modular architecture, downloading plug-ins from the controller's command-and-control server.
"Two of these modules are designed to perform web injects on 32- and 64-bit versions of Windows, and the other two are for running a VNC server the cybercriminals can use to connect to an infected computer," warns Dr Web.
It also downloads and saves a set of utilities for installing a root digital certificate on the infected PC so that it can be used to carry out man-in-the-middle attacks, and comes bundled with a keystroke logger.
"Worth highlighting is the unique way in which the Trojan automatically launches itself on an infected machine: Trojan.PWS.Sphinx.2 uses a PHP script and a PHP interpreter.
"The script is executed via a shortcut and placed in the autorun folder by the Trojan. All the information required for the Trojan's operation is encrypted and stored in the Windows system registry. Modules are saved to a separate file with a random extension, which is also encrypted," advises Dr Web.
Email-borne threats have exploded in the last year, thanks to the ease with which cyber-criminals can directly make money from infected PCs. While today's cyber criminals prefer extortion via ransomware, banking Trojans remain a threat.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all