Sophisticated Hesperbot malware targets Aussie banks

By on
Sophisticated Hesperbot malware targets Aussie banks

Uses web injects, video capture and malicious mobile apps.

Credit: Eset
Credit: Eset

A nasty new form of malware dubbed Hesperbot has begun targeting Australian banks.

The Hesperbot trojan stole banking information by way of web-injects, keyloggers and form-grabbers.

It targeted Australian banks including the National Australia Bank, the Commonwealth Bank, Westpac, St George and Tasmania's MyState.

Infected users would see a message crafted by attackers and injected into the Australian bank websites that urged customers to install an application masquerading as two factor SMS security software.

The software worked on Android, Symbian and Blackberry handsets and generated authorisation and response codes that confirmed to bot masters that a victim had installed the software.

Hesperbot grabbed customers banking information as it was typed into sites and used video capture software to both overcome virtual keyboards and to check bank balances without having to log in to accounts.

"While inspiration from older banking trojans are clearly suggested by certain functionalities (sic), it appears that Hesperbot is a new breed of malware," ESET authors Anton Cherepanov and Robert Lipovsky wrote.

"The combination of man-in-the-middle network traffic interception, keylogging, creating screenshots and video capture sequences and a hidden VNC (Virtual Network Computing) session all make this banking trojan a very capable malicious program.

"The Hesperbot operators are very active, causing real financial losses for bank’s customers and it seems we still haven’t heard the last of this malware."

Hesperbot admin panel
Hesperbot admin panel

The malware was also upgraded with Bitcoin-stealing functionality that allowed it to raid wallets stored on victim machines.

"With the current high value of Bitcoin, the decision to add this module is quite understandable."

Further details were available on ESET's blog and whitepaper. (pdf

The news comes as malware researchers at Kaspersky Lab discovered a 64-bit version of the well-established Zeus banking trojan.

The malware also used web injects and keyloggers to steal banking credentials and used the Tor network to communicate with command and control servers.

Researcher Dmitry Tarakanov pointed out that the new support may be a marketing gimmick directed at black hat buyers since it would have a limited victim base as few users ran 64-bit operating systems.

Whatever the intentions were of the malware author that created this piece of Zeus – be it a marketing ploy or the groundwork for some future needs – a pure 64-bit Zeus does finally exist, and we can conclude that a new milestone in the evolution of ZeuS has been reached," Tarakanov wrote.


Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

  |  Forgot your password?