Malware hunters at SecureWorks have intercepted a new banker Trojan being used by cyber-criminals to steal financial credentials from banks in the U.S.

The Trojan, dubbed “Bugat,” targets Automated Clearing House (ACH)
and wire transfer transactions by small- and mid-sized business in the U.S., much like the virulent Clampi Trojan that has stolen tens of millions of dollars.

According to SecureWorks researcher Jason Milletary, the Bugat Trojan includes features commonly found in malware used to commit credential theft for financial fraud.

These include:

  • Internet Explorer (IE) and Firefox form grabbing
  • Scrape or modify HTML for targeted sites
  • Steal and delete IE, Firefox, and Flash cookies
  • Steal FTP and POP credentials
  • SOCKS proxy server (v4 and v5)
  • Browse and upload files from the infected computer
  • Download and execute programs
  • Upload list of running processes
  • Delete system files and reboot computer to render Windows unable to boot

The Trojan communicates with a remote command and control web server to
receive commands and to exfiltrate stolen information.

As part of this
process, the malware also receives a list of URL target strings used to
monitor the victim’s web browser activity. These target strings
indicate a strong interest in websites used for business banking and
wire transfers. Bugat may also use HTTPS in an attempt to secure its
command and control communications.

For more information on these types of attacks, see reporting by Brian Krebs on the WaPo SecurityFix blog.

Categories: Malware