Stabuniq Trojan rapidly stealing data from US banks

Trojan.Stabuniq geographic distribution by unique IP address

Security researchers from Symantec have identified a new Trojan that appears to be targeting financial institutions. Dubbed Trojan.Stabuniq, the malware has been collecting information from infected systems potentially for the preparation of a more damaging attack.

According to researchers, roughly 40 IP addresses infected with the Stabuniq Trojan, 40% per cent belong to financial institutions who are mostly based in Chicago and New York.

The malware appears to be spread by a phishing attack through spam e-mail containing a link to the address of a server hosting a Web exploit toolkit. Such toolkits are commonly used to silently install malware on Web users' computers by exploiting vulnerabilities in outdated browser plug-ins like Flash Player, Adobe Reader, or Java.

These attacks can be very simple, such as a written email from a prince in Nigeria asking for bank account information.

Once installed, it collects information including its computer name, IP address, operating system version and installed service packs, running processes and dumps that data to a command & control server located at:

• anatwriteromist.com
• bbcnews192.com
• belsaw920.com
• benhomelandefit.com
• midfielderguin.com
• prominentpirsa.com
• sovereutilizeignty.com
• yolanda911.com

Recommended actions for readers, Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.

Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.

Turn off and remove unnecessary services and Enforce a password policy. Stay tuned to +The Hacker News .