Earlier this week, law enforcement officials announced the arrest of more than 90 people for using and distributing the Blackshades RAT. In the wake of the arrests, we’ve been asked if Blackshades is a threat that banks, credit unions, and other financial institutions should be particularly concerned about.
Should financial institutions be doing anything differently to protect against Blackshades specifically? Probably not.
While news of the arrests (great news!) drew headlines, the capabilities of Blackshades don’t stand out as a major threat to banks and credit unions.
Blackshades is not typically used for the type of cybercrime normally associated with online banking. While it is much cheaper than high-impact threats like ZeuS, it isn’t capable of being a platform for large-scale, professional cybercrime operations. It does have basic commodity malware features, such as keylogging and “creepware” features, that could be used in small scale attacks – but nothing that should be especially alarming.
Current versions of Blackshades:
- Lack the ability to sniff encrypted (https) web traffic, like that between an online banking server and a customer’s web browser.
- Lack the ability to allow an attacker to change or inject data into secure web sessions (a key feature of banking Trojans).
- Can be used as a proxy to tunnel an attacker’s traffic through victim PCs to evade IP checks, but it doesn’t use any cookies or other browser data from the victim so commonly used online banking defenses are still effective.
- Can take remote control of the victim’s mouse and keyboard; however, this is done in the user’s current session, resulting in the attacker's actions being plainly visible and causing alarm.
- Can be used for DDoS attacks, but the capabilities are limited and difficult to manage on a scale large enough to launch major attacks.
- Have a redirect / block traffic feature based on URLs, which could be used in pharming and phishing attacks to surreptitiously redirect users to imposter websites.
Blackshades is a relatively cheap hacking tool built for less-sophisticated buyers than the professional cybercrime operations that frequently target financial institutions. Brian Krebs has an excellent write-up (as usual!) on its presence in hacker forums and markets.
As with most malware, it’s possible that your employees could be infected with Blackshades. But employing common security defenses should minimize that risk. If you’re a bank or credit union, there are more impactful cyber threats to be concerned about.