While most banking Trojans are indiscriminate in infecting users to gather as many victims/revenues as possible, some have chosen to go the regional route. For example, the Citadel incident in our previous blog post where the target was mainly Japanese users. This time, we are looking at another case that seems to target Eastern Europe.
In the 1st quarter of 2013, we examined what initially looked like a targeted attack using spear phishing emails supposedly from the Ukrainian government. While the email itself and the payload are considered “spam material”, the attachment contains documents that are typically used in targeted attacks.
Our investigation into this campaign revealed the following:
- The operators are using a modified Zeus variant based on leaked source code
- Additional modules that target certain banking systems
- Aside from Zeus, the operators are also using several underground toolkits such as Bleeding Life Exploit Kit, Pony, and Ann Loader
To get a glimpse of how widespread this campaign was, we sinkholed some of the C&C domains for a few days and as we have expected, Eastern Europe (particularly Ukraine and Russia) has the largest number of victim IPs.
Figure 1. Distribution of Victim IPs by Region
Figure 2. Distribution of Victim IPs in Europe
Our research shows that while most banking Trojans target well-known banks (in the US, UK, etc), there are some that prefer a more regional and less conventional approach and by using several tools available underground, the operators were able to carry off their plans. Moreover, it also demonstrates that cybercriminals are always looking for alternative ways to adapt to defenses.
Our full findings can be found in the research paper titles, The Apollo Campaign: A Gateway to Eastern European Banks.