Researchers at Trusteer spotted a new banking malware program on the underground Russian cybercrime market, that communicates with attackers over the I2P anonymity network is for sale on underground Russian cybercrime forums.
Dubbed 'i2Ninja', malware has most of the features found in other financial malware including the ability to perform HTML injections and form grabbing in Internet Explorer, Firefox and Chrome. i2Ninja can also steal FTP and e-mail credentials. It also has a PokerGrabber module feature that targets poker sites.
The traffic between the malware and the command server cannot be easily blocked by intrusion prevention systems or firewalls because it’s encrypted and transmitting over the Invisible Internet Project (I2P).
Everything from delivering configuration updates to receiving stolen data and sending commands is done via the encrypted I2P channels.
I2P communication can make it much harder for security researchers to find and take down those servers and the malware also offers buyers a proxy for anonymous Internet browsing, promising complete online anonymity.
Another unique feature of this malware is that it comes with an integrated help desk ticketing system. "A potential buyer can communicate with the authors / support team, open tickets and get answers - all while enjoying the security and anonymity provided by I2P's encrypted messaging nature," Trusteer says.
The few other malware also has such marketed support i.e. Citadel and the Neosploit Exploit Pack. It’s not known if i2Ninja is already being used to infect computers.
With increasing black market activity and the release of various malware source code, we expect to see a new malware variants and new underground offering in 2014, they say.