Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:00 AM
Connect Directly

New Banking Malware Touts Zeus-Like Capabilities

Scylex malware built from scratch for financial theft, according to an ad in infamous underground forum.

Financial institutions could be in for more trouble of the Zeus-like variety if a new malware kit being promoted in an underground forum is any indication.

The new Scylex malware kit appears designed to enable financial crime on a large scale, a researcher from Heimdal Security of Denmark, said in an alert this week.

An advertisement on Lampeduza, a forum for buying and selling malware, touts Scylex as packing multiple functions including a user-mode root kit, web injects, and a secure socket reverse proxy, Heimdal researcher Andra Zaharia said. So far, there have been no instances of Scylex being actually used anywhere.

The base kit comes at a price tag of $7,500. Those willing to spring an extra $2,000 can get additional functionality such as secure socket support for directing data transfers between a user PC and a malicious server, via a proxy.

The malware kit is also being offered as a premium package for $10,000. For this price, a buyer will get a Hidden Virtual Network Computing (HVNC) module in addition to all of the features available in the other two kits, Zaharia said.

HVNC is a sought-after capability in banking Trojans and basically gives attackers a way to manipulate a victim’s computer remotely to access bank accounts without triggering any alerts.

The purchase price for the malware includes support for up to 8 hours a day and periodic software updates. A new kit that is under development will come with even more functions including capabilities for spreading via  social networks, a DDoS module, and reverse FTP.

“From the looks of it, cybercriminals are trying to engineer the next big thing in financial malware,” Zaharia cautioned. “Their ambition is to replicate the impact that Zeus GameOver had a few years ago,” she said.

The Zeus Trojan first surfaced around 2007 and is believed responsible for infecting tens of millions of computers and draining hundreds of millions of dollars from bank accounts worldwide. The operators of the Zeus Trojan abruptly stopped their campaign about five years ago and released the source code for the malware online prompting scores of me-too banking Trojan in the last few years based on Zeus code.

The authors of Scylex make it clear on their advertisement that the malware is not based on Zeus code. “It is a banking Trojan written 99% from scratch in C++,” they noted in the ad, a copy of which Heimdal posted on its site. “The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.”

The malware kit appears designed for those who have solid technical skills, but the authors have made clear that it is available to anyone interested in purchasing it.

This type of malware can usually be bought, with a lifetime license, like in the case of Scylex, or rented for a monthly fee, Zaharia told Dark Reading. The kits “include the malware, a dashboard where the attacker can tweak the settings and tech support,” she said. “Often, the malware comes preloaded with vulnerabilities and targets, but we couldn't say if this is the case or not for Scylex."

“The malware-as-a-service model has been growing in the past years, and with it the marketing efforts as well,” she said. “Since malware is now so readily available, malware creators have to differentiate themselves and present their offer with more transparency than before. Hence the conspicuous advertising.”

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/8/2016 | 9:46:45 AM
Identity theft
Nice article and informative read. Though what is mentioned in this article may sound like another data and identity theft case but actually inreality it is pretty concerning for the evry day users. Hackers are busy hacking the private and sensitive information and if companies of such stature and online security are not safe, I beg to say how can ordinary internet user be secure from these threats. I personally encrypt my files and folders even I do not let my close ones to access those as they are very personal. Also, while carrying out banking transactions and other card involving stuff like booking flights, I make sure to first secure my connection with a vpn server (I use PureVPN) and then carry out trabsactions to avoid any form of leak but that's just not me, everyone should startsecuring their online presence. 
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...