• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Regional Banking Threats: The Apollo Campaign

Regional Banking Threats: The Apollo Campaign

  • Posted on:October 20, 2013 at 10:33 pm
  • Posted in:Malware
  • Author:
    Jessa De La Torre (Senior Threat Researcher)
0

While most banking Trojans are indiscriminate in infecting users to gather as many victims/revenues as possible, some have chosen to go the regional route. For example, the Citadel incident in our previous blog post where the target was mainly Japanese users. This time, we are looking at another case that seems to target Eastern Europe.

In the 1st quarter of 2013, we examined what initially looked like a targeted attack using spear phishing emails supposedly from the Ukrainian government. While the email itself and the payload are considered “spam material”, the attachment contains documents that are typically used in targeted attacks.

Our investigation into this campaign revealed the following:

  • The operators are using a modified Zeus variant based on leaked source code
  • Additional modules that target certain banking systems
  • Aside from Zeus, the operators are also using several underground toolkits such as Bleeding Life Exploit Kit, Pony, and Ann Loader

To get a glimpse of how widespread this campaign was, we sinkholed some of the C&C domains for a few days and as we have expected, Eastern Europe (particularly Ukraine and Russia) has the largest number of victim IPs.

Figure 1. Distribution of Victim IPs by Region

Figure 2. Distribution of Victim IPs in Europe

Our research shows that while most banking Trojans target well-known banks (in the US, UK, etc), there are some that prefer a more regional and less conventional approach and by using several tools available underground, the operators were able to carry off their plans. Moreover, it also demonstrates that cybercriminals are always looking for alternative ways to adapt to defenses.

Our full findings can be found in the research paper titles, The Apollo Campaign: A Gateway to Eastern European Banks.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: apolloEuropeonline banking

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.