Fraudsters plan strike on US banks

A malware campaign launched against customers at 30 US banks is continuing, researchers say.

McAfee supported an October warning from RSA that a Russian cyber gang was preparing to infect users with a variant of the Gozi trojan called Prinimalka.

The company also disclosed new information about an earlier Gozi Prinimalka campaign, between March and April of this year, when attackers infected at least 500 individuals throughout the United States with the trojan.

The company also discovered that the group would be ready to strike as early as next autumn.

Gozi Prinimalka enables fraudsters to initiate unauthorised wire transfers on their behalf by hijacking live banking sessions and was updated by developers to perform similar functions as the Zeus and SpyEye banking trojans.

RSA's fraudaction research lab Limor Kessem told SC Prinimalka was privately sold while Zeus and SpyEye, was a commercial underground offering.

“We have really analysed and reverse-engineered Gozi since around 2010,” Kessem said.

“We saw that it's added a lot of features that we know from Zeus and SpyEye – for instance, man-in-the-browser automated capabilities.”

McAfee threat researcher Ryan Sherstobitoff told SC each malicious binary was encrypted uniquely which helped the trojan to evade detection.

“You would have to update your anti-virus setting every time to detect it,” Sherstobitoff said. “Any future variant should be detected using behavior-based anti-virus [solutions].”

McAfee researchers said national and investment banks in the US will be the major targets of Prinimalka fraudsters, with a small percentage being credit unions. 

The group's plan will likely be to continue on in their previous strategy: strike, then disappear until their next campaign unfolds.

“This could very well be a threat in 2013,” Sherstobitoff said.

This article originally appeared at scmagazineus.com