Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/15/2016
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Banking Malware Touts Zeus-Like Capabilities

Scylex malware built from scratch for financial theft, according to an ad in infamous underground forum.

Financial institutions could be in for more trouble of the Zeus-like variety if a new malware kit being promoted in an underground forum is any indication.

The new Scylex malware kit appears designed to enable financial crime on a large scale, a researcher from Heimdal Security of Denmark, said in an alert this week.

An advertisement on Lampeduza, a forum for buying and selling malware, touts Scylex as packing multiple functions including a user-mode root kit, web injects, and a secure socket reverse proxy, Heimdal researcher Andra Zaharia said. So far, there have been no instances of Scylex being actually used anywhere.

The base kit comes at a price tag of $7,500. Those willing to spring an extra $2,000 can get additional functionality such as secure socket support for directing data transfers between a user PC and a malicious server, via a proxy.

The malware kit is also being offered as a premium package for $10,000. For this price, a buyer will get a Hidden Virtual Network Computing (HVNC) module in addition to all of the features available in the other two kits, Zaharia said.

HVNC is a sought-after capability in banking Trojans and basically gives attackers a way to manipulate a victim’s computer remotely to access bank accounts without triggering any alerts.

The purchase price for the malware includes support for up to 8 hours a day and periodic software updates. A new kit that is under development will come with even more functions including capabilities for spreading via  social networks, a DDoS module, and reverse FTP.

“From the looks of it, cybercriminals are trying to engineer the next big thing in financial malware,” Zaharia cautioned. “Their ambition is to replicate the impact that Zeus GameOver had a few years ago,” she said.

The Zeus Trojan first surfaced around 2007 and is believed responsible for infecting tens of millions of computers and draining hundreds of millions of dollars from bank accounts worldwide. The operators of the Zeus Trojan abruptly stopped their campaign about five years ago and released the source code for the malware online prompting scores of me-too banking Trojan in the last few years based on Zeus code.

The authors of Scylex make it clear on their advertisement that the malware is not based on Zeus code. “It is a banking Trojan written 99% from scratch in C++,” they noted in the ad, a copy of which Heimdal posted on its site. “The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.”

The malware kit appears designed for those who have solid technical skills, but the authors have made clear that it is available to anyone interested in purchasing it.

This type of malware can usually be bought, with a lifetime license, like in the case of Scylex, or rented for a monthly fee, Zaharia told Dark Reading. The kits “include the malware, a dashboard where the attacker can tweak the settings and tech support,” she said. “Often, the malware comes preloaded with vulnerabilities and targets, but we couldn't say if this is the case or not for Scylex."

“The malware-as-a-service model has been growing in the past years, and with it the marketing efforts as well,” she said. “Since malware is now so readily available, malware creators have to differentiate themselves and present their offer with more transparency than before. Hence the conspicuous advertising.”

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
9/8/2016 | 9:46:45 AM
Identity theft
Nice article and informative read. Though what is mentioned in this article may sound like another data and identity theft case but actually inreality it is pretty concerning for the evry day users. Hackers are busy hacking the private and sensitive information and if companies of such stature and online security are not safe, I beg to say how can ordinary internet user be secure from these threats. I personally encrypt my files and folders even I do not let my close ones to access those as they are very personal. Also, while carrying out banking transactions and other card involving stuff like booking flights, I make sure to first secure my connection with a vpn server (I use PureVPN) and then carry out trabsactions to avoid any form of leak but that's just not me, everyone should startsecuring their online presence. 
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.