Some researcher thought it was a law-enforcement sting. Others theorised that it was an elaborate joke. But a call for botnet operators to collaborate on attacking the customers of 30 US financial institutions appears to be a “credible threat”, said security firm McAfee in a report issued on 13 December.
The operation, known as Project Blitzkrieg, was announced in a semi-private underground forum in September, and described by security firm RSA in a blog post in October. The announcement is the “making of the most substantial organised banking-Trojan operation seen to date”, the company stated in its 4 October blog post.
In its own research, McAfee, a subsidiary of Intel, tracked down the command-and-control server used by the hacker vorVzakone, who made the forum announcement. The posting included screenshots that gave McAfee enough evidence to track down the bot software used by the hacker and what appears to be a test of the infrastructure for the attack.
The group used a Trojan known as Gozi Prinimalka, a variant of the Gozi Trojan created in 2008, that has always been used to commit financial fraud. The program was not created by vorVzakone, but an early group that appears to no longer be actively developing the malicious software, said Ryan Sherstobitoff, a researcher with McAfee Labs.
While the Trojan is not new, the calls for collaboration and the improvement to the command-and-control (C&C) server are new, he said.
“Really, what is new is the collaboration and the innovative back-end (C&C server), where he supplies all the information as to the drop accounts, how to transfer money properly, and many other details,” Sherstobitoff said. “What people thought was a joke has ended up being credible.”
McAfee used two identifiers leaked by the images posted online to match the campaign pictured in the images to a specific binary caught by the company’s automated analysis systems. The existence of the malware, which was caught by McAfee in April, suggests that at least some of the claims are real.
The Gozi Prinimalka variant discovered in April by McAfee was first seen in the wild on 29 March and may have infected hundreds of banking customers, according to the report. The latest variant, released in October, is controlled using a C&C server in Romania and has targeted financial institutions exclusively in the United States.
“On 9 September, in the post, he said that he would release the trojan to individuals a couple weeks after they passed an interview,” said Sherstobitoff. “Well, we saw a new Gozi Primimalka campaign spring up in October and end on 30 November with more than 80 victims.”
McAfee expects future attacks to also hit only a modest number of victims to stay under law enforcement’s radar and make it harder to defend against.
“A limited number of infections reduces the malware’s footprint and makes it hard for network defences to detect its activities,” the report stated.
Are you a security pro? Try our quiz!
Originally published on eWeek.
Tesla retreats from pioneering gigacasting manufacturing process, amid cost cutting and challenges at EV giant
No skynet please. After the US, UK and France pledge human only control of nuclear…
Microsoft's AI investments continue in south east Asia, after investments in Japan, Malaysia, Indonesia, as…
New chapter for LastPass as it becomes an independent company to focus on cybersecurity, after…
US FCC seeks to ban Chinese telecom firms at centre of national security concerns from…
Two updates to Anthropic's AI chatbot Claude sees arrival of a new business-focused plan, as…