Network Sniffer Spreading in Banking Networks

In this year number of malware attack on banking networks almost doubled compared to previous year. Also, malware authors are adopting more sophisticated techniques in an effort to target as many victims as they can.
There were only trojans which steal steal user’s credential by infecting user’s devices. But recently, security researchers from the Anti-virus firm Trend Micro have discovered a new variant of banking malware that not only steal the users’ information from the device it has infected but, has ability to “sniff” network activity to steal sensitive information of other network users as well.
The banking malware, variant of EMOTET spreads rapidly through spammed emails that which pretend itself as a bank documentation. The spammed email comes along with a link that users easily click, considering that the emails refer to financial transactions.
Once clicked, the malware get installed into users’ system that further downloads its component files, including a configuration and .DLL file. The configuration files contains information about the banks targeted by the malware, whereas the .DLL file is responsible for intercepting and logging outgoing network traffic.
Untitled
The .DLL file is injected to all processes of the system, including web browser and then “this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file, wrote Joie Salvio, security researcher at Trend Micro. “If strings match, the malware assembles the information by getting the URL accessed and the data sent.” Meanwhile, the malware stores stolen data in the separate entries after been encrypted, which means the malware can steal and save any information the attacker wants.
The malware also capable to bypass the secure HTTPS protocol and users will feel free to continue their online banking without even realizing that their information is being stolen.
EMOTET login
some Network APIs hooked by the malware.
PR_OpenTcpSocket
PR_Write
PR_Close PR_GetNameForIndentity
Closesocket
Connect
Send
WsaSend”
The malware infection is not targeted to any specific region or country but, EMOTET malware family is largely infecting the users of EMEA region, i.e. Europe, the Middle East and Africa, with Germany on the top of the affected countries.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s