It was detected during several targeted attacks starting in November 2012 where Cyber criminals have traditionally targeted private and corporate banking accounts, using malware (such as variants of the ZeuS cyber-crime toolkit) to log key-strokes and extract account information.
In the last year, Group-IB has received several incoming incident fraud requests on some famous online trading and stock brokerages where systems were possibly hacked and recently trading fraudsters have diversified tactics and begun to use malware.
Group-IB has detected the first professional malware, targeted at a specialized trading software named QUIK (Quik Broker, Quik Dealer) from Russian software developers ARQA Technologies and FOCUS IVonline from New York-based EGAR Technology, which is used by many banks in the Russian Federation including Sberbank, Alfa-Bank and Promsvyazbank.
The initial act of the malware is to check the presence of these applications in the OS, then begin to monitor the user's actions and extract information about his activity by capturing screenshots and intercepting credentials which are then sent to the C&C server.
