Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2013
    S M T W T F S
    « Sep   Nov »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for October 20th, 2013




    While most banking Trojans are indiscriminate in infecting users to gather as many victims/revenues as possible, some have chosen to go the regional route. For example, the Citadel incident in our previous blog post where the target was mainly Japanese users. This time, we are looking at another case that seems to target Eastern Europe.

    In the 1st quarter of 2013, we examined what initially looked like a targeted attack using spear phishing emails supposedly from the Ukrainian government. While the email itself and the payload are considered “spam material”, the attachment contains documents that are typically used in targeted attacks.

    Our investigation into this campaign revealed the following:

    • The operators are using a modified Zeus variant based on leaked source code
    • Additional modules that target certain banking systems
    • Aside from Zeus, the operators are also using several underground toolkits such as Bleeding Life Exploit Kit, Pony, and Ann Loader

    To get a glimpse of how widespread this campaign was, we sinkholed some of the C&C domains for a few days and as we have expected, Eastern Europe (particularly Ukraine and Russia) has the largest number of victim IPs.

    Figure 1. Distribution of Victim IPs by Region

    Figure 2. Distribution of Victim IPs in Europe

    Our research shows that while most banking Trojans target well-known banks (in the US, UK, etc), there are some that prefer a more regional and less conventional approach and by using several tools available underground, the operators were able to carry off their plans. Moreover, it also demonstrates that cybercriminals are always looking for alternative ways to adapt to defenses.

    Our full findings can be found in the research paper titles, The Apollo Campaign: A Gateway to Eastern European Banks.

     
    Posted in Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice