Urgent: New ACH and Wire Payment Trojan Facilities 100K+ Transfers From Small to Mid-Sized Banks

This alert is intended for small to mid-sized businesses and banks who may realize $100K plus losses associated with unauthorized external wire transfers originating within the bank from known workstations with valid user credentials. Call us at 888.712.9531 for immediate assistance.

In the past few months, we have noticed an increase in targeted attacks towards our small to mid sized banking clients using attack vectors identified in early 2009. As these attacks have increased and attackers are utilizing a new trojan that is more effective, we want to increase the awareness around this threat and provide identification and remediation options.

Synopsis
The tools of choice were often from the Zeus or Clampi malware varieties. The new variant is being called Bugat (or Bredolab) and other various names by different vendors. In mid-January, the installer had moderate coverage (20/40) according to VirusTotal. The runtime behavior of the installed mspdb30.dll file did not match the normal signature, resulting in next to no AV recognition (2/41). Additionally, the AppInit_DLLs registry key setting changes made by the installer instruct Windows to load the Bugat DLL into any program that also loads user32.dll, which is commonly used by malware to infiltrate browser and email clients.

Secureworks Description of Bugat Functionality:
• Internet Explorer (IE) and Firefox form grabbing
• Scrape or modify HTML for targeted sites
• Steal and delete IE, Firefox, and Flash cookies
• Steal FTP and POP credentials
• SOCKS proxy server (v4 and v5)
• Browse and upload files from the infected computer
• Download and execute programs
• Upload list of running processes
• Delete system files and render Windows unable to boot

Bugat communicates with a remote command and control web server to receive commands and to exfiltrate stolen information. As part of this process, the malware also receives a list of URL target strings used to monitor the victim’s web browser activity. These target strings indicate a strong interest in websites used for business banking and wire transfers. Bugat may also use HTTPS in an attempt to secure its command and control communications.

Are You At Risk?
Rook provides the Banking community with several free and paid options for support to prevent, detect, and remove this threat from your environment.

Free Email Based Support
Email team6@rookconsulting.com with a subject of “Bugat tips” to receive information on identification of the threat through known paths, and other attributes as well as high level information around determining how to collect forensic evidence to use with local law and federal law enforcement should you detect wire fraud.

Bugat Scan & Removal
Email team6@rookconsulting.com or call 888.712.9531 and talk to our team about our quick, cost-effective service to identify and remove the threat from your environment. For an environment with less than 100 IPs, this can be done for under $5,000 and can be charged to your corporate card.

Holistic Security Posture Assessment
Identify this and other threats to your environment and receive a report providing you with a holistic view into the IT Risks associated with Policies & Procedures, Network & Host Based Vulnerabilities, Security Architecture and Web Application Vulnerabilities. Pricing is dependent upon a variety of factors, so please call us to find out the most cost effective and actionable option for your environment.

Free Web Briefing
Email team6@rookconsulting.com with a subject of “bugat web briefing” and we will notify you when our web briefing schedule is finalized for sometime towards the end of this week or the beginning of next.

For years, the Rook team has provided clients with insight around the residual risks associated with accepting risks and audit carry forwards associated with non-standard attacks targeting banks. Unfortunately, many commodity technical security scanning providers offering ineffective “security assessments” or “penetration tests”. These vendors are well versed in technology, but are missing critical applied experience in helping clients identify, understand, and manage residual risks associated with areas of analysis that are non-technical in nature.

The Rook Security Posture Assessment identifies these non-standard risks and provides management with risk based decision support to maximize risk deduction through strategically precise solutions.

Take a moment, pick up the phone, and call us to understand how we can help you with identifying and removing this and other IT Risks inside your organization.

Call us at 888.712.9531, email info[at]rookconsulting.net, or keep up-to-date on critical issues, alerts, and intelligence by following us on Twitter and subscribe to Rook Insight to receive real-time Insight Intelligence Alerts via email.

Related posts:

1. 3 AES-256 USB Thumb Drives Vulnerable
2. Over $100K Saved for SAP Controls
3. ISC2 Visitors: Change Mgmt Tips Download
4. 2010 IT Risk Outlook Coming Soon
5. Whiteboard Ad – Security Assessments