New Banking Trojan Targets Online AccountsAdd 'Bugat' to List of Malware Focus on ACH, Wire Transfers
The Counter Threat Unit at SecureWorks is calling this new malware "Bugat," and it is capable of capturing information entered in web forms, altering the content of targeted websites or stealing browser cookies, as well as FTP and POP3 credentials.
Add Bugat to the malware roster with the Zeus Trojan and Clampi, which already have been identified as being used to steal banking credentials from small to medium businesses in recent months.
In 2009, the number of mid-sized businesses hit with ACH fraud grew exponentially, leading banking regulators and ACH associations to send out alerts to the financial services industry. Most recently a town in New York had hundreds of thousands of dollars taken by hackers via fraudulent ACH transactions.
What Can Bugat Do?
According to Jason Milletary, SecureWorks' technical director for malware analysis, Bugat can function as a SOCKS proxy server, upload files from the infected computer to a remote server or download and execute programs.
How it operates: the Bugat Trojan communicates with a command and control server from where it receives instructions and updates to the list of financial websites it targets. This communication can be encrypted in order to thwart traffic inspection tools.
"The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals," Milletary writes in a SecureWorks blog entry. By mid-January, the new malware already had updated its configuration data to include new financial targets, and the installer for Bugat had moderate coverage, Milletary says. It also had almost no anti-virus recognition. He adds that Bugat comes with capabilities commonly found in malware used to commit credential theft for financial fraud.
"These targets strings indicate a strong interest in websites used for business banking and wire transfers. Bugat may also use HTTPS in an attempt to secure its command and control communications," he says.
Bugat joins the growing list of malware targeting financial institution customers. Recently, security vendor Symantec warned of a new Zeus-like crimeware toolkit called SpyEye. Even worse is the news that only about 50 percent of these types of malware are detected by up-to-date anti-virus software. The number of computers already infected with banking Trojans is not fully known, but Uri Rivner, a security researcher at RSA's Israel security center, predicts that the estimated number of computers infected with the Zeus Trojan of 3 million worldwide, "is more likely near 9 to 10 million."