Banking trojan turns to 'Dark Cloud' botnet to spread malware further - New Gersy

Header Ads

Banking trojan turns to 'Dark Cloud' botnet to spread malware further




A widely-distributed banking trojan has another time been updated with new attack techniques as cyber criminals look to make sure their malware is as effective - and discreet - as attainable in efforts to steal banking credentials from customers of varied monetary establishments.




The Gozi ISFB banking trojan is currently being distributed with the help of the 'Dark Cloud' botnet, a criminal service that is being employed for the distribution of many malware families, as well as Gozi and Nymaim.

According to researchers at Cisco Talos, those behind Gozi have leveraged the Dark Cloud botnet to assist launch campaigns over the last six months.

What makes the botnet appealing to those behind malware campaigns is however it uses its army of hijacked computers to alter the name server (DNS) of hosted activities each jiffy.




Analysis of 1 web site found that it used 287 totally different addresses over the course of twenty four hours, such as a rotation each 5 minutes, creating it harder for anyone wanting to spot the hackers to trace them down.

"This demonstrates simply however fluid the DNS configuration related to these domains is and the way abundant infrastructure is being employed by these attackers," aforesaid researchers.

Distribution of Gozi malware itself is additional restrained than several malware campaigns, with those behind the theme endeavor a low-volume operation, selecting to focus on specific organisations with custom messages and attachments. Researchers describe it as "an commit to evade detection whereas maximising the chance that the victim can open the connected files".

This latest around of Gozi attacks still use the antecedently known technique of language hijacking, with the attackers making emails that look to be a part of AN in progress thread in a shot to extend the chance the victim can trust the sender and transfer the malicious attachment equipped with the malware downloader.



Researchers note that even the lure documents ar personalized, once more indicating the hassle going into the campaign. If the Word document is opened, the user is told they have to 'enable content' to examine the file.

If the victim follows this instruction, the macros inside the document ar enabled and Gozi is downloaded from the command and management server with the help of obfuscated visual basic and PowerShell commands.

Cisco Talos researchers additionally note that those behind Gozi also are experimenting with further payloads as well as SpyEye, a written document stealing malware targeting Apple devices, and CryptoShuffler, that on the Q.T. carries out cryptocurrency mining on infected machines for the good thing about the attackers.

While Gozi remains the most focus of the hacking cluster, it's seemingly that distribution of further payloads is being tested as one thing of AN contract within the event that malware ever becomes redundant. however the utilization of the Dark Cloud botnet is probably going to be an attempt to make sure Gozi remains discreet and profitable for a protracted time to come back.




"Attackers ar continued to switch their techniques and finding effective new ways that to modify their malicious server infrastructure in a shot to form analysis and pursuit harder," aforesaid Talos researchers, UN agency supplemental that Gozi "will not be departure any time soon".

The identity of the threat actor behind the Gozi banking trojan campaigns stay unknown, however indicators purpose thereto being the work of a extremely organized and well-resourced crime ring.

Ahmad Adnan Awriter and getting all news about technology

No comments:

Powered by Blogger.