banking Trojan
SlemBunk Android Banking Trojan Continues to Wreak Havoc Around the World
One month later, the SlemBunk Android banking trojan is still going strong, FireEye researchers confirming that despite its activities being made public, the malware’s operators have continued to infect users and steal their financial information.
SlemBunk, first discovered by FortiNet last year, has intensified its activities towards the middle of December 2015 when FireEye researchers saw a spike in activity.
The banking trojan managed to infect users all over the world, targeting 33 mobile banking applications via 170 different SlemBunk variants.
For most of these infections, SlemBunk was offered to its victims as an Android version of the Adobe Flash Player on adult-themed video portals where access to videos was blocked because users didn’t have their “Flash Player up to date.”
According to FireEye, this campaign has suffered very little modifications after they dissected the SlemBunk’s malware mode of operation.
SlemBunk campaign carried on unabated
Following through on their previous work, security researchers continued to monitor SlemBunk infections and discovered that before the banking trojan lands on the users’ devices, up to three intermediary apps are used to mask the final infection.
This prolonged attack chain usually starts with a drive-by download attack that automatically starts a download for the SlemBunk dropper (dropper – malware that serves to initially penetrate systems), which unpacks another app that serves as the SlemBunk downloader (downloader – malware that downloads other malware), which in turn downloads the final SlemBunk payload (the actual banking trojan).
Additionally, besides the fake Flash Player app, FireEye researchers also identified SlemBunk posing as other types of apps as well, from essential tools to adult-themed apps, and all distributed from sources outside the Play Store.
The researchers identified the campaigns’ CnC server, even reaching its login page. Most of these domains were registered at the start of December 2015, but their operators already abandoned them and moved to new ones. As it stands now, SlemBunk’s operators don’t seem to look scared or threatened by the security firm’s discoveries, being always one step ahead.
KINS Malware Toolkit Leaked Online
Version 2.0.0.0 of a toolkit for the banking Trojan known as KINS was leaked last month, researchers revealed on Sunday.
According to the MalwareMustDie research group, which learned of the leaked files on June 26, the package includes the KINS 2.0.0.0 builder and the source code for the control panel. The package has been widely distributed on the Web, giving cybercriminals the means to generate new malware and control their botnets.
Researchers have pointed out that the developers of the malware builder call the tool “KINS Builder.” However, the binaries generated by it actually appear to be versions of the banking malware called ZeusVM. The malware generated by the builder is completely different from previous KINS versions.
Experts say this shows that KINS developers have integrated ZeusVM technology into their creation.
One of the features borrowed by KINS from ZeusVM is the use of steganography, the practice of concealing a file or message within another file or message. In the case of KINS/ZeusVM, the malware’s configuration data is hidden in a .JPG image file.
MalwareMustDie researchers are providing the KINS toolkit package through private channels to other experts and security firms that want to analyze the threat.
In the meantime, the malware crusaders have teamed up with the French researcher known as Xylit0l and the Japanese researcher known as unixfreaxjp to prevent the toolkit from being distributed. They have managed to remove the package from several websites, but the files have been made available on too many sites.
Experts believe that the leak will lead to more botnets powered by KINS/ZeusVM 2.0.0.0.
MalwareMustDie also revealed that it has spotted ads on cybercrime forums for version 3 of KINS. According to researchers, the malware has been sold for $5,000.
MalwareMustDie has published videos, technical details, and code for the leaked KINS toolkit.
*Updated. The original version of the story incorrectly stated that the source code for both the builder and the control panel was made available. Only the source code for the control panel has been leaked.
Source:http://www.securityweek.com/
Cyber Security 