Australian banks and other large enterprises are being targeted by the banking trojan Hesperbot. According to ESET, who first detected Hesperbot in November 2013, this is putting at risk the financial information of millions of customers.
Robert Lipovsky, a Malware Researcher with Eset told us "It’s difficult to ascertain why they chose Australia specifically. From what we have seen, the Hesperbot gang has continually been expanding their operations to different regions. The threat was first observed in Turkey and Turkey remains to this day the most targeted country. The Czech Republic is the second most affected country. The Czech campaigns started in September 2013, when we started an active investigation of the botnets. At that time, the other targeted countries were Portugal and the U.K".
Hesperbot spreads via phishing emails and also attempts to infect mobile devices running Android, Symbian and BlackBerry. Detected as Win32/Spy. Hesperbot, the malware features keylogger capabilities, can create screenshots and video capture, and set up a remote proxy.
"As is the case with other botnets, the Hesperbot-infected-bot will establish a communication channel with its Command & Control server'" said Lipovsky. "Hesperbot binaries, specifically, contain several hard-coded C&C domains, and also include a domain-generation-algorithm which can generate 50 additional domains to contacts as a backup, in case the hard-coded ones aren’t responding. The domains and DGA change between variants".
The attackers aim to obtain log-in credentials that give them access to the customer‘s bank account, and attempt to lure users into installing a mobile component of the malware on their Symbian, BlackBerry or Android phone.
The trojan is able to update itself, execute new modules and receive configuration files. It can also exfiltrate data from the infected host. The data it targets includes login credentials intercepted by the form-grabber component, keylogger logs and a video consisting of captured screenshots of the login sequence to online banking.
Lipovsky says that targeted individuals are lured into installing the mobile component themselves through social engineering. The web-injection component will, based on the configuration file, modify specified online banking websites to include a fraudulent web form. This form gives instructions to install a new security module on the user’s smartphone that the bank has purportedly issued.
"In the Australian case, it’s called “NetCode Smartphone Security”. Of course, this is all false and installing this application leads to an infected smartzphone'" he said.
Robert Lipovsky, an ESET malware researcher who leads the team analysing this threat, says that Hesperbot has "similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known Trojan”.
ESET researchers have found over the past few weeks that Hesperbot activity has roughly doubled in comparison to the average number of detections from the previous weeks.
Australia is the third most affected country by Hesperbot, with Turkey and the Czech Republic claiming the unwanted crown as the most affected countries.
This article is brought to you by Enex TestLab, content directors for CSO Australia.