OddJob Trojan Piggybacks On Legitimate eBanking Sessions

A new Trojan leads online banking customer into thinking they have logged out of their sessions when in fact they remain logged in. Discovered by Trusteer researchers, this completely new piece of malware represents the evolution of online attacks in the ways in which it integrates new and old hacking methodologies to subvert the should-be stalwart commercial security applications employed by financial institutions.

OddjobA new Trojan leads online banking customer into thinking they have logged out of their sessions when in fact they remain logged in. Discovered by Trusteer researchers, this completely new piece of malware represents the evolution of online attacks in the ways in which it integrates new and old hacking methodologies to subvert the should-be stalwart commercial security applications employed by financial institutions.

The Trojan, dubbed “OddJob,” works in real time by hijacking customers online banking session ID tokens, a unique identifier that banks use to track user’s online session. The new malware appears to be targeting banks in several countries including the U.S., Poland, and Denmark. It is apparently based in Eastern Europe.

According to an analysis by security firm Trusteer, OddJob works by intercepting Web based commands to terminate online banking sessions for users accessing their bank account using the Mozilla Firefox and Microsoft Internet Explorer Web browsers. The Trojan can log GET and POST requests, grab full HTML pages, terminate connections and inject data into active Web sessions.

Among other things, OddJob can piggyback in on legitimate customer authenticated sessions, then manipulate that session to keep it active, bypassing the session termination that is supposed to occur when a user logs out. The Trojan can then initiate fraudulent transactions from the legitimate session. The Trojan features a number of stealth capabilites, as well, and avoids saving data from its sessions locally, making digital forensics difficult. 

Trusteer claims that they have been aware of this piece of malware for months. The company has warned a number of financial institutions about it. It has held off on publishing information about the new malware before now due to ongoing criminal investigations, the company said in its post. They also admit that OddJob remains a work in progress. Variants of the malware have been identified that are modified to work on specific Web sites. It appears that the malware’s developers are continuing to refine its code, Trusteer said.

Read more here.

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.

Discussion

  • Anonymous on

    Have any antivirus/securiy vendors included this threat in their protection updates?

    Thank you.

  • Anonymous on

    Have any security vendors included protection against this OddJob threat?

  • Anonymous on

    The actual malware might be new, but what about the methods is actually new?  The story seems to focus on "piggybacking on legitimate sessions". This is generally called session hijacking and has been around forever.  Modern malware is defeating OOB authentications and securID, stealing the session ID stored in an HTTP cookie seems old school in comparison.

  • remax camosun on

    Thank you for such a fantastic blog. Where else could anyone get that kind of info written in such a perfect way? I have a presentation that I am presently working on, and I have been on the look out for such information.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.