Cyber Criminal activity associated with the financial Trojan programs has increased rapidly during the past few months. However, the Tor-based architecture is the favorite one with online criminals, to hide their bots and the botnet's Command-and-Control real location from the security researchers.
Security Researchers at anti-virus firm Kaspersky Lab have discovered a new Tor-based banking trojan, dubbed "ChewBacca" ("Trojan.Win32.Fsysna.fej") ,that steal banking credentials and hosted on a Tor .onion domain.
This protects the location of a server as well as the identity of the owner in most cases. Still there are drawbacks preventing many criminals from hosting their servers within Tor. Due to the overlay and structure, Tor is slower and timeouts are possible. Massive botnet activity may influence the whole network, as seen with Mevade, and therefore let researchers spot them more easily.
ChewBacca malware is not first that adopt Tor for anonymity, recently a new Zeus Trojan variant was captured in the wild that also based on Tor network and aimed at 64-bit systems.
Researchers did not mention that how they discovered Chewbacca, or the extent to which it has spread, but they note that the Malware is compiled with Free Pascal 2.7.1.
After execution of malware on the victim's windows system, it drops as spoolsv.exe in the startup folder and also drops a copy of Tor 0.2.3.25, which runs with a default listing on "localhost:9050". The Trojan then logs all keystrokes and sends the data back to the botnet controllers via Tor anonymity network.
Researchers did not mention that how they discovered Chewbacca, or the extent to which it has spread, but they note that the Malware is compiled with Free Pascal 2.7.1.
After execution of malware on the victim's windows system, it drops as spoolsv.exe in the startup folder and also drops a copy of Tor 0.2.3.25, which runs with a default listing on "localhost:9050". The Trojan then logs all keystrokes and sends the data back to the botnet controllers via Tor anonymity network.
The Malware also enumerates all running processes and reads their process memory. According to the researchers, The Command-and-Control server is developed using LAMP, that is based on Linux, Apache, MySQL and PHP.
Chewbacca is currently not offered in public (underground) forums, like other toolkits such as Zeus. Maybe this is in development or the malware is just privately used or shared.
The botnet's Command-and-Control server login page have an image of a character (ChewBacca) from the film series Star Wars.
We are expecting more complex and TOR-based botnets in the future. Stay tuned to +The Hacker News - Stay Safe.