New Banking Trojan Found Underground

Thursday, July 25, 2013 @ 03:07 PM gHale

A new commercial banking Trojan is beginning to work its way through the ranks.

“This is the first actual commercial Trojan we’ve seen in a while, since Citadel was taken off the market,” said Limor Kessem, cybercrime specialist with RSA. “We haven’t seen anything serious enough on the part of malware developers. This is the first time something might materialize into a real, commercial banking Trojan” since then.

Win 8 CAPTCHA Malware
Trojan Speaks Local Languages
Trojan Takes Over Google Docs
Trojan Uses Fake Adobe Certificate

RSA in February first began hearing hints of a new Trojan toolkit named “KINS,” and then found an announcement of its sale in a closed Russian-speaking underground forum. An advertisement for KINS said the Trojan started “from scratch” and is not a part of another Trojan codebase, but Kessem said that remains to be seen. The kit should become available “soon,” she said, so RSA researchers can then study the code and confirm its makeup.

KINS comes with a dropper and DLLs and Zeus-compatible Web injects, according to its creators, and sells for $5,000 in its standard kit form. Additional modules and plug-ins are another $2,000 apiece.

But what stands out most about the kit is it includes a bootkit, Kessem said. “It’s more stealthy when it’s a bootkit,” she said.

No other commercial Trojan banking malware — neither Zeus nor SpyEye — came with a bootkit, she said. The Carberp Trojan creators offered to sell a bootkit for $40,000, but KINS is the first commercial Trojan that comes in bootkit mode, she said.

The commercial Trojan market has been missing a “stable offering” like KINS, RSA researchers said.

Despite claims the malware is from scratch, RSA said the new malware has some similarities with those predecessors, including a main file plus DLL plug-ins, compatibility with Zeus Web injections, the Anti-Rapport plug-in that came with SpyEye.

Leave a Reply

You must be logged in to post a comment.