Security Firms Warn Of Potential Banking Trojan Attacks


Security researchers at Trend Micro and RSA are warning about new threats to online banking transactions.

Citadel, a notorious botnet that was partially knocked down in June by legal action taken by Microsoft, is resurfacing in a string of attacks against users of prominent banks in Japan, according to Trend Micro.

The security firm said attacks from variants of the Citadel Trojan have expanded and researchers have traced the IP addresses connected to the underlying command and control servers to data centers in the United States and Europe. Nearly all the infected systems are coming from Japan, Trend Micro said, adding that over a recent six-day period about 20,000 different systems connected to the servers.

[Related: Malware Hijacks Two-Step Verification, Drains Bank Accounts]

"There is still a large number of infected systems still stealing online banking credentials and sending them to the cybercriminals responsible," Trend Micro said in an update issued Monday to its recent threat report. "Citadel variants are well-known for stealing the online banking credentials of users, directly leading to theft."

Microsoft took legal action in June to disrupt the Citadel botnet, which is responsible for spreading the Zeus Trojan family of banking malware. The firm seized the command and control servers, severing ties to approximately 1,400 Citadel botnets, that are believed to be responsible for over half a billion dollars in losses. Both Zeus and Citadel are closely related malware families that have been a problem for the banking industry.

Despite the disruption, exploit toolkits are still available and can be used to easily build new campaigns, according to Trend Micro. The firm said the latest string of attacks used webmail services Gmail, Yahoo, Japan mail and Hotmail to infect victims. Once infected, the cybercriminals steal usernames and passwords to access and drain bank accounts. Affected banks have notified users, but the firm said it expects some users to ignore the warnings.

Security experts say that the botnet operators believed to be behind the majority of the banking attacks are based in the Ukraine or Russia. In addition to malware, the botnets are used to spread spam messages peddling pharmaceuticals.

While longstanding threats such as Zeus and Citadel continue to infect PC users, other security researchers are busy analyzing new malware designed to zero in on banking sessions. RSA said the Hand of Thief Trojan targets all common Linux distributions. The malware was designed to steal form data and act as a back door into systems, but in his analysis of the threat, Yotam Gottesman, a senior security researcher at RSA, said the threat deserves monitoring, but he downplayed the early version of the malware. It appears to be a prototype with little commercial viability, according to Gottesman, who said it cannot properly grab data and can be easily removed from a system.

The malware author claims to be improving the Trojan, adding code injection capability to use it in drive-by attacks, according to Gottesman.

"Hand of Thief has come to the cybercrime underground at a time when commercial Trojans are high in demand, stirring some excitement amongst criminals," Gottesman wrote.

PUBLISHED SEPT. 3, 2013