A new powerful banking malware is in the wild. Hesperbot targets European victims to steal bank log-in credentials with common techniques like capturing keystrokes, screenshots and videos from the victim’s computer screens — with the goal of stealing money from people’s accounts.
The trojan malware is very similar to the famous banking viruses Zeus and SpyEye, but according to ESET, the security firm that discovered it, it’s completely new. And even though for now it’s only been spotted in a few hundred computers in Europe — mainly Turkey, Portugal, Czech Republic and the UK — it could easily be the beginning of a larger malware campaign that could expand to the rest of the world.
“We think that people behind it are possibly gearing up for wider deployment,” said Stephen Cobb, an ESET security researcher in a phone interview with Mashable. “If you look at history of malware, this is something we’ve seen before. Where it’s deployed in […] lesser-known countries before then being deployed in larger markets.”
It’s like beta-testing for cybercriminals, but the people who are “testing” the malware never actually signed up for it. The criminals see how the malware performs in smaller countries, tweak it and then go after bigger, more populous targets, explained Cobb.
The malware capabilities are powerful, but its goal is the same old one: stealing data to steal money.
“The aim of the attackers is to obtain log-in credentials, giving access to the victim’s bank account and to get them to install a mobile component of the malware on their Symbian, Blackberry or Android phone,” wrote Robert Lipovsky, a malware researcher at ESET.
The malware also tries to get victims to install a mobile app designed to break two-factor authentication used by some banks. When a victim’s computer is infected, a malicious webpage asks the user to enter his or her cellphone model and number, and then sends a text message containing a link to the malicious app, which, if installed, infects the phone and intercepts data on the phone to bypass and hijack banks’ two-factor authentication.
Hesperbot spreads via high-quality phishing emails made to look like they’re coming from credible sources. ESET first discovered it in August, when the cybercriminals behind it started infecting Czech victims with emails that appeared to be from the local postal service; a link led to a fake service website that looked almost like the real one.
Another one of its tricks is to inject malicious code into the targeted banks’ webpages, a feature that wasn’t present in the malware spread in the Czech Republic, but was used in Turkey and Portugal, perhaps a result of the previously mentioned “beta-testing.”
The cybercriminals behind it are unknown as well. Cobb told Mashable that while they might find out more about it as they analyze the code better, for now, “we don’t know much at all.”
“With a lot of malware [it] is extremely difficult these days to find out who wrote it and where they are located,” he said. “There is some Russian in [the code], but that doesn’t mean it came from Russia or even a Russian-speaking person.”
Interestingly, despite being a classic banking malware, Hesperbot also harvests log-in credentials to social media accounts, to “make the most of every compromise,” Cobb explained. If the malware infects a victim who doesn’t have a bank account with the banks targeted by the malware, at least the cybercriminals will get his or her passwords, which can then be sold on the black market.