Using very credible-looking spreading campaigns related to trustworthy organizations it lures victims to actually run the malware. Several victims have already been robbed of financial assets because of this newly-revealed threat.
Hundreds of infections have been detected in Turkey, dozens in the Czech Republic, United Kingdom and Portugal. This very potent and sophisticated banking malware dubbed Hesperbot is spreading via phishing-like emails and also attempts to infect mobile devices running Android, Symbian and Blackberry.
Detected as Win32/Spy.Hesperbot, this threat features keylogger capabilities, can create desktop screenshots and video capture, and set up a remote proxy, but also includes some more advanced tricks, such as creating a hidden remote connection to the infected system.
“Analysis of the threat revealed that we were dealing with a banking trojan, with similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known trojan,” says Robert Lipovsky, ESET malware researcher who leads the team analyzing this threat.
The attackers aim to obtain login credentials giving them access to the victim’s bank account and getting them to install a mobile component of the malware on their Symbian, Blackberry or Android phone.
“It’s probably not surprising that the attackers tried to lure potential victims to open the malware by sending phish-like emails resembling parcel tracking information from the Postal Service. This technique has been used many times before,” says Lipovsky. The Czech Postal Service responded very quickly by issuing a warning about the scam on their website.
Nevertheless, a country most affected by this banking trojan is Turkey, with Hesperbot detections there dated even earlier than August 8. Recent peaks in botnet activity were observed in Turkey in July 2013, but ESET has also found older samples that go back at least to April 2013.
The phishing e-mail that was sent to potential victims purported to be an invoice. A variant of the malware has also been found in the wild designated to target computer users in Portugal and the United Kingdom.