The Hacker News Logo
Subscribe to Newsletter

The Hacker News — Cyber Security and Hacking News Website: banking Trojan

'GozNym' Banking Malware Gang Dismantled by International Law Enforcement

'GozNym' Banking Malware Gang Dismantled by International Law Enforcement

May 16, 2019Mohit Kumar
In a joint effort by several law enforcement agencies from 6 different countries, officials have dismantled a major global organized cybercrime network behind GozNym banking malware . GozNym banking malware is responsible for stealing nearly $100 million from over 41,000 victims across the globe, primarily in the United States and Europe, for years. GozNym was created by combining two known powerful Trojans—Gozi ISFB malware, a banking Trojan that first appeared in 2012 and Nymaim, a Trojan downloader that can also function as ransomware. In a press conference held on Thursday, Europol said the operation was successfully conducted with the cooperation between Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States. The United States has charged ten members of the GozNym criminal network, 5 of which were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine. However, rest of the five defendants reside in Russia and a
Source Code for CARBANAK Banking Malware Found On VirusTotal

Source Code for CARBANAK Banking Malware Found On VirusTotal

April 23, 2019Wang Wei
Security researchers have discovered the full source code of the Carbanak malware—yes, this time it's for real. Carbanak—sometimes referred as FIN7, Anunak or Cobalt—is one of the most full-featured, dangerous malware that belongs to an APT-style cybercriminal group involved in several attacks against banks, financial institutions, hospitals, and restaurants. In July last year, there was a rumor that the source code of Carbanak was leaked to the public, but researchers at Kaspersky Lab later confirmed that the leaked code was not the Carbanak Trojan . Now cybersecurity researchers from FireEye revealed that they found Carbanak's source code, builders, and some previously unseen plugins in two RAR archives [ 1 , 2 ] that were uploaded on the VirusTotal malware scanning engine two years ago from a Russian IP address. "CARBANAK source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code," researchers say. "Our goal was to find
Popular Video Editing Software Website Hacked to Spread Banking Trojan

Popular Video Editing Software Website Hacked to Spread Banking Trojan

April 11, 2019Swati Khandelwal
If you have downloaded the VSDC multimedia editing software between late February to late March this year, there are high chances that your computer has been infected with a banking trojan and an information stealer. The official website of the VSDC software — one of the most popular, free video editing and converting app with over 1.3 million monthly visitors — was hacked, unfortunately once again. According to a new report Dr. Web published today and shared with The Hacker News, hackers hijacked the VSDC website and replaced its software download links leading to malware versions, tricking visitors into installing dangerous Win32.Bolik.2 banking trojan and KPOT stealer. Even more ironic is that despite being so popular among the multimedia editors, the VSDC website is running and offering software downloads over an insecure HTTP connection. Though it's unclear how hackers this time managed to hijack the website, researchers revealed that the breach was reportedly ne
Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

April 16, 2018Swati Khandelwal
Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication. In order to trick victims into installing the Android malware, dubbed Roaming Mantis , hackers have been hijacking DNS settings on vulnerable and poorly secured routers . DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more. Hijacking routers' DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher —both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers. Discovered by security researchers at Kaspersk
Leader of Hacking Group Who Stole $1 Billion From Banks Arrested In Spain

Leader of Hacking Group Who Stole $1 Billion From Banks Arrested In Spain

March 26, 2018Wang Wei
Spanish Police has arrested the alleged leader of an organised Russian cybercrime gang behind the Carbanak and Cobalt malware attacks, which stole over a billion euros from banks worldwide since 2013. In a coordinated operation with law enforcement agencies across the globe, including the FBI and Europol, Police detained the suspected leader of Carbanak hacking group in Alicante, Spain. Carbanak hacking group started its activities almost five years ago by launching a series of malware attack campaigns such as Anunak and Carbanak to compromise banks and ATM networks, from which they swiped millions of credit card details from US-based retailers. According to the Europol, the group later developed a sophisticated heist-ready banking malware known as Cobalt, based on the Cobalt Strike penetration testing software, which was in use until 2016. "The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist,
Banking Trojan Gains Ability to Steal Facebook, Twitter and Gmail Accounts

Banking Trojan Gains Ability to Steal Facebook, Twitter and Gmail Accounts

November 17, 2017Swati Khandelwal
Security researchers have discovered a new, sophisticated form of malware based on the notorious Zeus banking Trojan that steals more than just bank account details. Dubbed Terdot, the banking Trojan has been around since mid-2016 and was initially designed to operate as a proxy to conduct man-in-the-middle (MitM) attacks, steal browsing information such as stored credit card information and login credentials and injecting HTML code into visited web pages. However, researchers at security firm Bitdefender have discovered that the banking Trojan has now been revamped with new espionage capabilities such as leveraging open-source tools for spoofing SSL certificates in order to gain access to social media and email accounts and even post on behalf of the infected user. Terdot banking trojan does this by using a highly customized man-in-the-middle (MITM) proxy that allows the malware to intercept any traffic on an infected computer. Besides this, the new variant of Terdot
New Ransomware Not Just Encrypts Your Android But Also Changes PIN Lock

New Ransomware Not Just Encrypts Your Android But Also Changes PIN Lock

October 13, 2017Swati Khandelwal
DoubleLocker —as the name suggests, it locks device twice. Security researchers from Slovakia-based security software maker ESET have discovered a new Android ransomware that not just encrypts users’ data, but also locks them out of their devices by changing lock screen PIN. On top of that: DoubleLocker is the first-ever ransomware to misuse Android accessibility —a feature that provides users alternative ways to interact with their smartphone devices, and mainly misused by Android banking Trojans to steal banking credentials. "Given its banking malware roots, DoubleLocker may well be turned into what could be called ransom-bankers," said Lukáš Štefanko, the malware researcher at ESET. "Two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom." Researchers believe DoubleLocker ransomware could be upgraded in future to steal banking credentials as well, other than just ext
WannaCry Inspires Banking Trojan to Add Self-Spreading Ability

WannaCry Inspires Banking Trojan to Add Self-Spreading Ability

August 02, 2017Swati Khandelwal
Although the wave of WannaCry and Petya ransomware has now been slowed down, money-motivated hackers and cyber criminals have taken lessons from the global outbreaks to make their malware more powerful. Security researchers have now discovered at least one group of cyber criminals that are attempting to give its banking Trojan the self-spreading worm-like capabilities that made recent ransomware attacks go worldwide. The new version of credential stealing TrickBot banking Trojan, known as " 1000029 " ( v24 ), has been found using the Windows Server Message Block (SMB)—that allowed WannaCry and Petya to spread across the world quickly. TrickBot is a banking Trojan malware that has been targeting financial institutions across the world since last year. The Trojan generally spreads via email attachments impersonating invoices from a large unnamed "international financial institution," but actually leads victims to a fake login page used to steal credenti
Beware! This Microsoft PowerPoint Hack Installs Malware Without Requiring Macros

Beware! This Microsoft PowerPoint Hack Installs Malware Without Requiring Macros

June 07, 2017Mohit Kumar
" Disable macros and always be extra careful when you manually enable it while opening Microsoft Office Word documents. " You might have heard of above-mentioned security warning multiple times on the Internet as hackers usually leverage this decade old macros-based hacking technique to hack computers through specially crafted Microsoft Office files, particularly Word, attached to spam emails. But a new social engineering attack has been discovered in the wild, which doesn't require users to enable macros ; instead it executes malware on a targeted system using PowerShell commands embedded inside a PowerPoint (PPT) file. Moreover, the malicious PowerShell code hidden inside the document triggers as soon as the victim moves/hovers a mouse over a link (as shown), which downloads an additional payload on the compromised machine -- even without clicking it. Researchers at Security firm SentinelOne have discovered that a group of hackers is using malicious PowerPoi
Android Trojan Targeting Over 420 Banking Apps Worldwide Found On Google Play Store

Android Trojan Targeting Over 420 Banking Apps Worldwide Found On Google Play Store

April 13, 2017Wang Wei
Do you like watching funny videos online? I am not kind of a funny person, but I love watching funny videos clips online, and this is one of the best things that people can do in their spare time. But, beware if you have installed a funny video app from Google Play Store. A security researcher has discovered a new variant of the infamous Android banking Trojan hiding in apps under different names, such as Funny Videos 2017 , on Google Play Store. Niels Croese, the security researcher at Securify B.V firm, analyzed the Funny Videos app that has 1,000 to 5,000 installs and found that the app acts like any of the regular video applications on Play Store, but in the background, it targets victims from banks around the world. This newly discovered banking Trojan works like any other banking malware, but two things that makes it different from others are — its capability to target victims and use of DexProtector tool to obfuscate the app's code. Dubbed BankBot , the banking
Unpatched Microsoft Word Flaw is Being Used to Spread Dridex Banking Trojan

Unpatched Microsoft Word Flaw is Being Used to Spread Dridex Banking Trojan

April 11, 2017Swati Khandelwal
If you are a regular reader of The Hacker News, you might be aware of an ongoing cyber attack — detected in the wild by McAfee and FireEye — that silently installs malware on fully-patched computers by exploiting an unpatched Microsoft Word vulnerability in all current versions of Microsoft Office. Now, according to security firm Proofpoint, the operators of the Dridex malware started exploiting the unpatched Microsoft Word vulnerability to spread a version of their infamous Dridex banking trojan . Dridex is currently one of the most dangerous banking trojans on the Internet that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating PCs and stealing victim's online banking credentials and financial data. The Dridex actors usually relied on macro-laden Word files to distribute the malware through spam messages or emails. However, this is the first time when researchers found the Dridex operators using an unpatched zero-day flaw
Russian Hacker Pleads Guilty to Developing and Distributing Citadel Trojan

Russian Hacker Pleads Guilty to Developing and Distributing Citadel Trojan

March 23, 2017Wang Wei
A Russian man accused of developing and distributing the Citadel Banking Trojan , which infected nearly 11 Million computers globally and caused over $500 Million in losses, has finally pleaded guilty to charges of computer fraud. Mark Vartanyan, 29, who was very well known as " Kolypto ," pleaded guilty in an Atlanta courtroom on Monday to charges related to computer fraud and is now co-operating with federal prosecutors in return for a reduced sentence of no more than five years in prison. Vartanyan, a native of Moscow, was arrested in Norway in October 2014 and extradited to the United States in December last year. He was involved in the development, improvement, maintenance and distribution of the nasty Citadel Trojan. "This successful extradition is yet another example of how cooperation among international law enforcement partners can be used to disrupt and dismantle global cyber syndicates," said U.S. Attorney John Horn. "This defendant's
Dridex Banking Trojan Gains ‘AtomBombing’ Code Injection Ability to Evade Detection

Dridex Banking Trojan Gains ‘AtomBombing’ Code Injection Ability to Evade Detection

March 01, 2017Swati Khandelwal
Security researchers have discovered a new variant of Dridex – one of the most nefarious banking Trojans actively targeting financial sector – with a new, sophisticated code injection technique and evasive capabilities called " AtomBombing ." On Tuesday, Magal Baz, security researcher at Trusteer IBM  disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities. Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data. However, by including AtomBombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection. What is "AtomBombing" Technique? Code injection te
Source Code for another Android Banking Malware Leaked

Source Code for another Android Banking Malware Leaked

January 23, 2017Swati Khandelwal
Another bad news for Android users — Source code for another Android banking malware has been leaked online via an underground hacking forum. This newly discovered banking Trojan is designed to steal money from bank accounts of Android devices' owners by gaining administrator privileges on their smartphones. Apparently, it will attract the attention of many cyber criminals who can recompile the source code or can also use it to develop more customized and advanced variants of Android banking Trojans. According to security researchers from Russian antivirus maker Dr. Web, the malware's source code was posted online, along with the information on how to use it, meaning Android devices are most likely to receive an increasing number of cyber attacks in upcoming days. Leaked: Trojan Source Code + 'How to Use' Instructions Dr. Web researchers said they have already discovered one banking trojan in the wild developed using this leaked source code, adding that th
Over 300,000 Android Devices Hacked Using Chrome Browser Vulnerability

Over 300,000 Android Devices Hacked Using Chrome Browser Vulnerability

November 09, 2016Wang Wei
A vulnerability in Chrome for Android is actively being exploited in the wild that allows hackers to quietly download banking trojan apps (.apk) onto victim's’ device without their confirmation. You might have encountered a pop-up advertisement that appears out of nowhere and surprise you that your mobile device has been infected with a dangerous virus and instructs you to install a security app to remove it immediately. This malicious advertising web page automatically downloads an Android app installation (.apk) file to your device without requiring any approval. Citing malware threats on your mobile device, attackers trick you to change your device's settings to allow installation of the third-party apps from stores other than Google Play Store and install the banking trojan app on your device. Kaspersky researchers Mikhail Kuzin and Nikita Buchka discovered one such widespread malicious advertising campaign across Russian news sites and popular websites. Since
Russia arrests 50 hackers who stole $25 million from Banks

Russia arrests 50 hackers who stole $25 million from Banks

June 03, 2016Mohit Kumar
Russian authorities have arrested a gang of 50 hackers suspected of stealing more than 1.7 Billion Rubles ( over US$25 Million ) from banks and other financial institutions in the country since 2011. The same criminal gang had tried to steal a further 2.273 Billion Roubles by issuing false payment instructions, but that were blocked. The group allegedly used a Trojan called " Lurk " to set up a network of bots on infected computers to carry out the attacks, according to Russia's FSB ( Federal Security Service ). Initially identified in 2012, Lurk is a "fileless" Trojan that runs in RAM and has mostly been used for collecting banking credentials, especially for banks in Eastern Europe and the Russian Federation. The criminal gang allegedly seeded some of Russia's most popular websites with Lurk. Once infected, the malware downloaded more software modules, allowing the hackers to gain remote access to victims' computers. The hackers then stole
Creators of  SpyEye Virus Sentenced to 24 Years in Prison

Creators of SpyEye Virus Sentenced to 24 Years in Prison

April 21, 2016Swati Khandelwal
In Brief Two International hackers, Aleksandr Andreevich Panin and Hamza Bendelladj, have been sentenced to a combined 24 years and 6 months in prison for their roles in developing and distributing SpyEye banking trojan, a powerful botnet similar to the infamous ZeuS malware. Both hackers were charged with stealing hundreds of millions of dollars from banking institutions worldwide. Masterminds behind the development and distribution of the infamous " SpyEye " botnet have finally been sentenced to a combined total of 24 years and 6 months in prison. Aleksandr Andreevich Panin and Hamza Bendelladj have been sentenced for their roles in developing and distributing SpyEye malware that is said to have caused hundreds of millions of dollars in losses to the financial sector, the U.S. Justice Department said  on Wednesday. SpyEye, a successor to the notorious Zeus banking malware , has affected financial institutions since 2009. Once infected, the malware connects t
Russian Hackers Manipulate Ruble-Dollar Exchange Rate with Malware

Russian Hackers Manipulate Ruble-Dollar Exchange Rate with Malware

February 09, 2016Unknown
Russian Group of Hackers reportedly cracked into the Kazan-based Energobank and messed up with the Ruble-Dollar exchange rates. In Feb 2015, a hacking group, known by the name METEL , successfully breached into the Russian Regional Bank for just 14 minutes and caused the exchange rate to fluctuate between 55 and 66 rubles per dollar, which finally resulted in the increment of Ruble’s value. Here's how they did it: According to Russian security firm, Group-IB, who investigated the incident, the Metel Hacking group infected Kazan-based Energobank with a virus known as the Corkow Trojan and placed more than $500 million in orders at non-market rates. “ This is the first documented attack using this virus, and it has the potential to do much more damage ,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, told Bloomberg . The hackers had taken the advantage of Spear Phishing Technique, which appears to come from a legit source. A single click
Hackers behind Dyre Malware Busted in Police Raid

Hackers behind Dyre Malware Busted in Police Raid

February 08, 2016Swati Khandelwal
The world's most notorious financial hacking operation disrupted by Russian authorities in November, when they raided the offices associated with a Moscow-based film and production company named 25th Floor . According to the Russian authorities, 25th Floor was allegedly involved in distributing the notorious password-stealing malware known as Dyre Banking Trojan . Malware Costs Hundreds of $$$ Millions in Losses The Dyre banking Trojan was typically distributed via spam campaigns and was responsible for over hundreds of millions of dollars in losses at banking and financial institutions, including Bank of America Corp, PayPal, and JPMorgan Chase & Co. Dyre , also known as Dyreza , first appeared in July 2014 and updated to target Windows 10 systems and its newest Edge browser. However, Dyre has not been in use since the November raid, according to cyber security experts, who said the raid represents Russia's biggest effort up to date in cracking down
Someone Hijacks Botnet Network & Replaces Malware with an Antivirus

Someone Hijacks Botnet Network & Replaces Malware with an Antivirus

February 05, 2016Mohit Kumar
The Dridex banking trojan that is widely being used by cyber criminals to distribute malware onto users’ machines has now been found distributing a security software. A portion of the Dridex banking Trojan botnet may have been hacked or compromised by an unknown Whitehat Hacker, who replaced the malicious links with  Avira Antivirus  installers. What is Dridex Banking Trojan? How it Works? Dridex malware – also known as Bugat and Cridex – is believed to have been created by cyber criminals in Eastern Europe in an effort to harvest online banking details. Even after a high-profile takedown operation in late 2015, the Dridex botnet seems to be active again. The Dridex virus typically distributes itself through spam messages or emails that include malicious attachments, most often a Microsoft Office file or Word document integrated with malicious macros. Once the malicious file has been clicked, the macros download and install the main payload of the virus – th
Exclusive Deals

Get Daily News Updates By Email

Join over 350,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.