The PhishLabs Blog

From Macro To Mitigation: An Analysis of TrickBot's Lifecycle


Summary

Since the identification of TrickBot in late-2016, we have observed it targeting bank customers throughout the United States, United Kingdom, Germany, Australia, and Canada, following an attack pattern similar to the Trojan from which it was developed, Dyre. TrickBot enters into a victims machine and sends bank information to criminals through a complex series of events initiated by one click. Once initiated, TrickBot resides in the background, operating as unobtrusively as possible. While the process, from installation to credential theft, can happen in seconds, TrickBot follows discrete linear steps that provide opportunities for mitigation.

Read More

Topics: Threat Analysis, Threat Intelligence, Banking Trojan, TrickBot

Dissecting the Qadars Banking Trojan

Posted by Raashid Bhat on Feb 22, '17

Qadars is a sophisticated and dangerous trojan used for crimeware-related activities including banking fraud and credential theft. Qadars targets users through exploit kits and is installed using Powershell Scripts. We have observed Qadars targeting multiple well-known banks in UK and Canada and is capable of stealing infected users' two-factor authentication codes and banking credentials through the deployment of webinjects. While not as well known or widespread as other Trojans, the operators have shown commitment to development of Qadars’ on-board evasion techniques and its advanced and adaptable privilege escalation module. This emphasis on persistence alongside the frequent shifts in both industry and geographic targeting indicate Qadars will remain a potent threat through 2017.
Read More

Topics: Threat Analysis, Threat Intelligence, Banking Trojan, Qadars

How Modern Banking Trojans Obstruct Malware Analysis

Posted by King Salemno on Oct 20, '16

Note to readers: PhishLabs will be represented by Paul Black at MalCon 2016 in Puerto Rico from October 18-21. At MalCon 2016, Paul will review the evolution of malware targeted at banks and financial institutions, reviewing notable trending data and methods to combat them. Contact PhishLabs for ongoing concern, questions and a deeper dive into the latest remediation techniques.

The cat and mouse game between malware researchers and threat actors operating banking Trojans began with the creation and propagation of the Zeus banking trojan in 2007. Since Zeus’s release, the number of banking trojans has increased continually, yet the anti-analysis mechanisms used by cybercriminals to obstruct researchers appear to have plateaued.

Read More

Topics: Malware, Banking Trojan, Malware Analysis, R.A.I.D.

Vawtrak / Neverquest2 adopts new methods to increase persistence

Posted by King Salemno on Aug 5, '16

At the end of July, the PhishLabs Research, Anaysis, and Intelligence Division (R.A.I.D.) found two major changes in the codebase of Vawtrak (a.k.a. Neverquest2) that significantly increased the banking Trojan’s persistence and the risk it poses for victims. We have discovered that the newest iteration of Vawtrak is now using a domain generation algorithm (DGA) to identify its command and control (C2) server. By using an algorithm instead of hardcoded domains, automated attempts at mitigation are rendered inadequate. Additionally, this new DGA implementation is bundled inside of a codebase that appears smaller and more efficient possibly because of compiler optimization. This optimization prevents malware researchers from using their pre-established Vawtrak analysis techniques during the reversing process to assist with the mitigation of the threat.

Read More

Topics: Threat Analysis, Threat Intelligence, Vawtrak, Banking Trojan, Neverquest2, Malware Analysis, R.A.I.D.

Android.Trojan.Marcher - Conclusion


About Parts One and Two

This post is a conclusion to a three-part blog analyzing "Marcher" malware that targets the Android platform. Read part one here and part two here.  To round out the discussion, let’s cover the network and host indicators associated with this trojan.
Read More

Topics: Phishing, Malware, Threat Intelligence, Android, Banking Trojan

Android.Trojan.Marcher - Part Two


About Part One

Last week I posted a blog analyzing "Marcher" - malware targeting the Android platform. Designed to steal mobile banking app credentials from banking customers, it is one of the most prevalent Android password stealers seen in the wild. Read part one here.

Read More

Topics: Malware, Trojan, Android, Banking Trojan

USB Driver Exposes Routers, Healthcare Data Breach, Intelligence Sharing and more | TWIC - May 22, 2015

Posted by Lindsey Havens on May 22, '15

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Phishing, Malware, Vulnerability, The Week in Cybercrime, Crimeware, Data Breach, Banking Trojan

Malware Hits Energy Sector, Risks for Insurers Rise, iOS Vulnerability and more | TWIC - April 24, 2015

Posted by Lindsey Havens on Apr 24, '15

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Malware, Vulnerability, The Week in Cybercrime, Crimeware, Data Breach, Banking Trojan, iOS

Increased Upatre Activity, CoinVault Ransomware, PoS Malware Proliferates and more | TWIC - April 17, 2015

Posted by Lindsey Havens on Apr 17, '15

Each week, the PhishLabs team posts The Week in Cybercrime (TWIC) to recap noteworthy cybercrime articles and reports (open source).

Read More

Topics: Malware, The Week in Cybercrime, Crimeware, Vawtrak, POS Attacks, Banking Trojan, Ransomware

Vawtrak’s expanding infrastructure

Posted by R.A.I.D. on Feb 11, '15

The malware known as Vawtrak is a banking Trojan which has increased in sophistication since its inception more than eight years ago. Systems infected with Vawtrak become part of a botnet managed by a Russian cybercrime gang who operate a Cybercrime-as-a-Service enterprise based on selling botnet access and support to their clients.

Read More

Topics: Malware, Vawtrak, Banking Trojan

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events

Calendar_Mock_

Posts by Topic

see all