Zitmo Trojan Variant Eurograbber Beats Two-Factor Authentication to Steal Millions

Online banking customers in Europe are falling victim by the thousands to a new banking Trojan that is infecting Android and BlackBerry devices and is capable of defeating two-factor authentication.

Online banking customers in Europe are falling victim by the thousands to a new banking Trojan that is infecting Android and BlackBerry devices and is capable of defeating two-factor authentication.

The Trojan, dubbed Eurograbber by researchers at Check Point Software Technologies and Verasafe, is a variant of the Zitmo Trojan. Zitmo, or Zeus-In-The-Mobile, has not moved outside Europe, but could eventually target customers in the United States, for example, as more banks require a second form of authentication for access to their online accounts.

To date, the researchers said, Eurograbber has infected more than 30,000 users and stolen an estimated 36 million Euros. Once the Trojan infects a customer’s PC and mobile device, it is able to transfer funds from a compromised account without the victim’s knowledge in amounts ranging from 500 to 250,000 Euros.

“Eurograbber is an excellent example of a successful targeted, sophisticated and stealthy attack. The threat from custom designed, targeted attacks like Eurograbber is real and is not going away,” wrote Eran Kalige of Verasafe and Darrell Burkey of Check Point in a research report. The victim banks were not identified in the report, but Kalige and Burkey said the financial institutions, as well as law enforcement, have been notified.

Like most targeted attacks, this one kicks off with a phishing message purporting to be from their bank leading them to click on a link which downloads the Trojan onto their PC. The next time the victim logs onto their banking account, the Trojan hijacks the session and injects JavaScript onto the banking page instructing them to proceed through a security upgrade. The message instructs the user to install software that will encrypt transactions from their mobile device, which is used as a second form of authentication via an SMS message sent to the device.

The victim enters their mobile number and device type. In the background, a connection is made to a command and control server where stolen data is stored and further instructions await. The Trojan then sends an SMS to the victim’s mobile that includes a link that will download the Trojan to the phone as well. A device-appropriate version of the malware is sent in the location-appropriate language. A verification code is sent that the victim must enter once the upgrade process is complete.

“Further evidence of the sophistication of the Eurograbber attack, this response informs the attackers when a particular bank customer is now controlled by the Eurograbber attack,” the report said.

The victim then gets a message on their mobile and PC that the security upgrade is complete and they can continue with their banking. In the background, the Trojan is able to hijack the session and start its own transaction in the background, transferring funds to a mule account owned by the attackers.

The key here is the Trojan’s ability to circumvent the second-factor of authentication, or Transaction Authorization Number (TAN) sent via SMS to the user’s mobile. The Trojan gets the SMS and sends the TAN via relay phones and proxy servers to the command and control server’s SQL database. The Trojan uses the TAN to complete its transaction, while the customer sees none of the fraudulent activity.

“In order to avoid detection, the attackers used several different domain names and servers, some of which were proxy servers to further complicate detection,” the report said. “If detected, the attackers could easily and quickly replace their infrastructure thus ensuring the integrity of their attack infrastructure, and ensuring the continuity of their operation and illicit money flow.”

Zitmo traditionally targeted the Android platform, but earlier this year, a version of Zitmo for BlackBerry surfaced. BlackBerry’s use by corporate executives gives the Trojan access to high-value executives, the report said.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.