A researcher at SecureWorks has uncovered a new Trojan swiping credentials of customers of roughly 15 large and medium-sized banks in the United States.
SecureWorks has dubbed the malware the Bugat Trojan. The malware has similar functionality to other banking Trojans such as Clampi and Zeus, and was seen being distributed by a Zeus botnet.
Though the incidence of Bugat remains relatively low, its presence suggests attackers
may be looking for alternatives to other Trojans.
“The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH (Automated Clearing House) and wire fraud remains a profitable venture for criminals,” blogged Jason Milletary, a security researcher at SecureWorks. “This demand may be driven by the desire for cheaper alternatives or malware that has not received as much scrutiny from security professionals. The continued introduction of this type of malware could have the unfortunate effect of lowering costs of malware and the barrier to entry into the criminal marketplace.”
The malware communicates with a remote command and control server to receive commands and pass along stolen data. It also receives a list of URL target strings used to monitor the victim’s Web browsing activity.
Among the things the Trojan has its eye on are Internet Explorer, Firefox and Adobe Flash Player cookies and FTP and POP credentials. Bugat may also use HTTPS in an attempt to secure its C&C communications, according to Milletary.
SecureWorks declined to name the institutions or third-party banking applications targeted by the Trojan. However, in 2009 the FBI reported that malware involved in ACH and wire transfer fraud was costing small and midsize businesses millions.