The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: banking malware

TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services

TrickBot Mobile App Bypasses 2‐Factor Authentication for Net Banking Services

March 25, 2020Ravie Lakshmanan
The malware authors behind TrickBot banking Trojan have developed a new Android app that can intercept one-time authorization codes sent to Internet banking customers via SMS or relatively more secure push notifications, and complete fraudulent transactions. The Android app, called " TrickMo " by IBM X-Force researchers, is under active development and has exclusively targeted German users whose desktops have been previously infected with the TrickBot malware. "Germany is one of the first attack turfs TrickBot spread to when it first emerged in 2016," IBM researchers said. "In 2020, it appears that TrickBot's vast bank fraud is an ongoing project that helps the gang monetize compromised accounts." The name TrickMo is a direct reference to a similar kind of Android banking malware called ZitMo that was developed by Zeus cybercriminal gang in 2011 to defeat SMS-based two-factor authentication. The development is the latest addition in the ars
Russian Hacker Behind NeverQuest Banking Malware Gets 4 Years in U.S. Prison

Russian Hacker Behind NeverQuest Banking Malware Gets 4 Years in U.S. Prison

November 22, 2019Swati Khandelwal
A Russian hacker who created and used Neverquest banking malware to steal money from victims' bank accounts has finally been sentenced to 4 years in prison by the United States District Court for the Southern District of New York. Stanislav Vitaliyevich Lisov , 34, was arrested by Spanish authorities at Barcelona–El Prat Airport in January 2017 on the request of the FBI and extradited to the United States in 2018. Earlier this year, Lisov pleaded guilty to one count of conspiracy to commit computer hacking, involving attempts to steal at least $4.4 million from hundreds of victims using the NeverQuest banking trojan. Just like any other sophisticated banking Trojan, NeverQuest , aka Vawtrak or Snifula, has also been designed to let attackers remotely control infected computers and steal a wide range of sensitive information. Besides stealing login information for banking or other financial accounts using a keylogger or web form injection techniques, the malware was also c
Cerberus: A New Android 'Banking Malware For Rent' Emerges

Cerberus: A New Android 'Banking Malware For Rent' Emerges

August 13, 2019Swati Khandelwal
After a few popular Android Trojans like  Anubis ,  Red Alert 2.0 ,  GM bot , and Exobot, quit their malware-as-a-service businesses, a new player has emerged on the Internet with similar capabilities to fill the gap, offering Android bot rental service to the masses. Dubbed " Cerberus ," the new remote access Trojan allows remote attackers to take total control over the infected Android devices and also comes with banking Trojan capabilities like the use of overlay attacks, SMS control, and contact list harvesting. According to the author of this malware, who is surprisingly social on Twitter and mocks security researchers and antivirus industry openly, Cerberus has been coded from scratch and doesn't re-use any code from other existing banking Trojans. The author also claimed to be using the Trojan for private operations for at least two years before renting it out for anyone interested from the past two months at $2000 for 1 month usage, $7000 for 6 months and
'GozNym' Banking Malware Gang Dismantled by International Law Enforcement

'GozNym' Banking Malware Gang Dismantled by International Law Enforcement

May 16, 2019Mohit Kumar
In a joint effort by several law enforcement agencies from 6 different countries, officials have dismantled a major global organized cybercrime network behind GozNym banking malware . GozNym banking malware is responsible for stealing nearly $100 million from over 41,000 victims across the globe, primarily in the United States and Europe, for years. GozNym was created by combining two known powerful Trojans—Gozi ISFB malware, a banking Trojan that first appeared in 2012 and Nymaim, a Trojan downloader that can also function as ransomware. In a press conference held on Thursday, Europol said the operation was successfully conducted with the cooperation between Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States. The United States has charged ten members of the GozNym criminal network, 5 of which were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine. However, rest of the five defendants reside in Russia and a
Source Code for CARBANAK Banking Malware Found On VirusTotal

Source Code for CARBANAK Banking Malware Found On VirusTotal

April 23, 2019Wang Wei
Security researchers have discovered the full source code of the Carbanak malware—yes, this time it's for real. Carbanak—sometimes referred as FIN7, Anunak or Cobalt—is one of the most full-featured, dangerous malware that belongs to an APT-style cybercriminal group involved in several attacks against banks, financial institutions, hospitals, and restaurants. In July last year, there was a rumor that the source code of Carbanak was leaked to the public, but researchers at Kaspersky Lab later confirmed that the leaked code was not the Carbanak Trojan . Now cybersecurity researchers from FireEye revealed that they found Carbanak's source code, builders, and some previously unseen plugins in two RAR archives [ 1 , 2 ] that were uploaded on the VirusTotal malware scanning engine two years ago from a Russian IP address. "CARBANAK source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code," researchers say. "Our goal was to find
Popular Video Editing Software Website Hacked to Spread Banking Trojan

Popular Video Editing Software Website Hacked to Spread Banking Trojan

April 11, 2019Swati Khandelwal
If you have downloaded the VSDC multimedia editing software between late February to late March this year, there are high chances that your computer has been infected with a banking trojan and an information stealer. The official website of the VSDC software — one of the most popular, free video editing and converting app with over 1.3 million monthly visitors — was hacked, unfortunately once again. According to a new report Dr. Web published today and shared with The Hacker News, hackers hijacked the VSDC website and replaced its software download links leading to malware versions, tricking visitors into installing dangerous Win32.Bolik.2 banking trojan and KPOT stealer. Even more ironic is that despite being so popular among the multimedia editors, the VSDC website is running and offering software downloads over an insecure HTTP connection. Though it's unclear how hackers this time managed to hijack the website, researchers revealed that the breach was reportedly ne
Dark Tequila Banking Malware Uncovered After 5 Years of Activity

Dark Tequila Banking Malware Uncovered After 5 Years of Activity

August 21, 2018Swati Khandelwal
Security researchers at Kaspersky Labs have uncovered a new, complex malware campaign that has been targeting customers of several Mexican banking institutions since at least 2013. Dubbed Dark Tequila , the campaign delivers an advanced keylogger malware that managed to stay under the radar for five years due to its highly targeted nature and a few evasion techniques. Dark Tequila has primarily been designed to steal victims' financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars. The list of targeted sites includes "Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services," the researchers say in a blog post . The malware gets delivered to the victims' comp
3 Carbanak (FIN7) Hackers Charged With Stealing 15 Million Credit Cards

3 Carbanak (FIN7) Hackers Charged With Stealing 15 Million Credit Cards

August 02, 2018Swati Khandelwal
Three members of one of the world's largest cybercrime organizations that stole over a billion euros from banks across the world over the last five years have been indicted and charged with 26 felony counts, the Justice Department announced on Wednesday. The three suspects are believed to be members of the organized Russian cybercrime group known as FIN7 , the hackers group behind Carbanak and Cobalt malware and were arrested last year in Europe between January and June. The suspects—Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30—are all from Ukraine and accused of targeting 120 companies based in the United States, as well as U.S. individuals. The victims include Chipotle Mexican Grill, Jason's Deli, Red Robin Gourmet Burgers, Sonic Drive-in, Taco John's, Chili's, Arby's, and Emerald Queen Hotel and Casino in Washington state. Carbanak (FIN7) Group Charged for Stealing 15 Million Credit Cards According to the press release published
Leader of Hacking Group Who Stole $1 Billion From Banks Arrested In Spain

Leader of Hacking Group Who Stole $1 Billion From Banks Arrested In Spain

March 26, 2018Wang Wei
Spanish Police has arrested the alleged leader of an organised Russian cybercrime gang behind the Carbanak and Cobalt malware attacks, which stole over a billion euros from banks worldwide since 2013. In a coordinated operation with law enforcement agencies across the globe, including the FBI and Europol, Police detained the suspected leader of Carbanak hacking group in Alicante, Spain. Carbanak hacking group started its activities almost five years ago by launching a series of malware attack campaigns such as Anunak and Carbanak to compromise banks and ATM networks, from which they swiped millions of credit card details from US-based retailers. According to the Europol, the group later developed a sophisticated heist-ready banking malware known as Cobalt, based on the Cobalt Strike penetration testing software, which was in use until 2016. "The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist,
BankBot Returns On Play Store – A Never Ending Android Malware Story

BankBot Returns On Play Store – A Never Ending Android Malware Story

November 20, 2017Mohit Kumar
Even after so many efforts by Google for making its Play Store away from malware, shady apps somehow managed to fool its anti-malware protections and infect people with malicious software. A team of researchers from several security firms has uncovered two new malware campaigns targeting Google Play Store users, of which one spreads a new version of BankBot , a persistent family of banking Trojan that imitates real banking applications in efforts to steal users' login details. BankBot has been designed to display fake overlays on legitimate bank apps from major banks around the world, including Citibank, WellsFargo, Chase, and DiBa, to steal sensitive information, including logins and credit card details. With its primary purpose of displaying fake overlays, BankBot has the ability to perform a broad range of tasks, such as sending and intercepting SMS messages, making calls, tracking infected devices, and stealing contacts. Google removed at least four previous versions
Google Begins Removing Play Store Apps Misusing Android Accessibility Services

Google Begins Removing Play Store Apps Misusing Android Accessibility Services

November 14, 2017Swati Khandelwal
Due to rise in malware and adware abusing Android accessibility services, Google has finally decided to take strict steps against the apps on its app platform that misuse this feature. Google has emailed Android app developers informing them that within 30 days, they must show how accessibility code used in their apps is helping disabled users or their apps will be removed from its Play Store entirely. For those who are unaware, Android's accessibility services are meant to help disabled people interact with their smartphone devices ( such as automatically filling out forms, overlaying content or switching between apps ) by allowing app-makers to integrate verbal feedback, voice commands and more in their apps. Many popular Android apps use the accessibility API to legitimately provide users with benefits, but over the past few months, we have seen a series of malware, including DoubleLocker ransomware, Svpeng , and BankBot , misusing this feature to infect people. Re
Marcus Hutchins (MalwareTech) Gets $30,000 Bail, But Can't Leave United States

Marcus Hutchins (MalwareTech) Gets $30,000 Bail, But Can't Leave United States

August 05, 2017Swati Khandelwal
Marcus Hutchins, the malware analyst who helped stop global Wannacry menace , has reportedly pleaded not guilty to charges of creating and distributing the infamous Kronos banking malware and is set to release on $30,000 bail on Monday. Hutchins, the 23-year-old who operates under the alias MalwareTech on Twitter, stormed to fame and hailed as a hero over two months ago when he stopped a global epidemic of the WannaCry ransomware attack by finding a kill switch in the malware code. MalwareTech Arrested After Attending Def Con Event Hutchins was recently arrested at the McCarran International Airport before he could board his flight back to the U.K. after attending Def Con event for his alleged role in creating and distributing the Kronos Banking Trojan between 2014-2015. Kronos is a Banking Trojan designed to steal banking credentials and personal information from victims' computers, which was sold for $7,000 on Russian online forums. MalwareTech to Pay $30,000 for
WannaCry Inspires Banking Trojan to Add Self-Spreading Ability

WannaCry Inspires Banking Trojan to Add Self-Spreading Ability

August 02, 2017Swati Khandelwal
Although the wave of WannaCry and Petya ransomware has now been slowed down, money-motivated hackers and cyber criminals have taken lessons from the global outbreaks to make their malware more powerful. Security researchers have now discovered at least one group of cyber criminals that are attempting to give its banking Trojan the self-spreading worm-like capabilities that made recent ransomware attacks go worldwide. The new version of credential stealing TrickBot banking Trojan, known as " 1000029 " ( v24 ), has been found using the Windows Server Message Block (SMB)—that allowed WannaCry and Petya to spread across the world quickly. TrickBot is a banking Trojan malware that has been targeting financial institutions across the world since last year. The Trojan generally spreads via email attachments impersonating invoices from a large unnamed "international financial institution," but actually leads victims to a fake login page used to steal credenti
Beware! This Microsoft PowerPoint Hack Installs Malware Without Requiring Macros

Beware! This Microsoft PowerPoint Hack Installs Malware Without Requiring Macros

June 07, 2017Mohit Kumar
" Disable macros and always be extra careful when you manually enable it while opening Microsoft Office Word documents. " You might have heard of above-mentioned security warning multiple times on the Internet as hackers usually leverage this decade old macros-based hacking technique to hack computers through specially crafted Microsoft Office files, particularly Word, attached to spam emails. But a new social engineering attack has been discovered in the wild, which doesn't require users to enable macros ; instead it executes malware on a targeted system using PowerShell commands embedded inside a PowerPoint (PPT) file. Moreover, the malicious PowerShell code hidden inside the document triggers as soon as the victim moves/hovers a mouse over a link (as shown), which downloads an additional payload on the compromised machine -- even without clicking it. Researchers at Security firm SentinelOne have discovered that a group of hackers is using malicious PowerPoi
Cyber Crime Gang Arrested for Infecting Over 1 Million Phones with Banking Trojan

Cyber Crime Gang Arrested for Infecting Over 1 Million Phones with Banking Trojan

May 23, 2017Swati Khandelwal
The Russian Interior Ministry announced on Monday the arrest of 20 individuals from a major cybercriminal gang that had stolen nearly $900,000 from bank accounts after infecting over one million Android smartphones with a mobile Trojan called "CronBot." Russian Interior Ministry representative Rina Wolf said the arrests were part of a joint effort with Russian IT security firm Group-IB that assisted the massive investigation. The collaboration resulted in the arrest of 16 members of the Cron group in November 2016, while the last active members were apprehended in April 2017, all living in the Russian regions of Ivanovo, Moscow, Rostov, Chelyabinsk, and Yaroslavl and the Republic of Mari El. Targeted Over 1 Million Phones — How They Did It? Group-IB first learned of the Cron malware gang in March 2015, when the criminal gang was distributing the Cron Bot malware disguised as Viber and Google Play apps. The Cron malware gang abused the popularity of SMS-banking
Android Trojan Targeting Over 420 Banking Apps Worldwide Found On Google Play Store

Android Trojan Targeting Over 420 Banking Apps Worldwide Found On Google Play Store

April 13, 2017Wang Wei
Do you like watching funny videos online? I am not kind of a funny person, but I love watching funny videos clips online, and this is one of the best things that people can do in their spare time. But, beware if you have installed a funny video app from Google Play Store. A security researcher has discovered a new variant of the infamous Android banking Trojan hiding in apps under different names, such as Funny Videos 2017 , on Google Play Store. Niels Croese, the security researcher at Securify B.V firm, analyzed the Funny Videos app that has 1,000 to 5,000 installs and found that the app acts like any of the regular video applications on Play Store, but in the background, it targets victims from banks around the world. This newly discovered banking Trojan works like any other banking malware, but two things that makes it different from others are — its capability to target victims and use of DexProtector tool to obfuscate the app's code. Dubbed BankBot , the banking
Dridex Banking Trojan Gains ‘AtomBombing’ Code Injection Ability to Evade Detection

Dridex Banking Trojan Gains 'AtomBombing' Code Injection Ability to Evade Detection

March 01, 2017Swati Khandelwal
Security researchers have discovered a new variant of Dridex – one of the most nefarious banking Trojans actively targeting financial sector – with a new, sophisticated code injection technique and evasive capabilities called " AtomBombing ." On Tuesday, Magal Baz, security researcher at Trusteer IBM  disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities. Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data. However, by including AtomBombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection. What is "AtomBombing" Technique? Code injection te
Polish Banks Hacked using Malware Planted on their own Government Site

Polish Banks Hacked using Malware Planted on their own Government Site

February 06, 2017Swati Khandelwal
In what considered to be the largest system hack in the country's history and a massive attack on the financial sector, several banks in Poland have been infected with malware. What's surprising? The source of the malware infection is their own financial regulator, the Polish Financial Supervision Authority (KNF) -- which, ironically, is meant to keep an eye out for the safety and security of financial systems in Poland. During the past week, the security teams at several unnamed Polish banks discovered malicious executables on the workstations of several banks. The KNF confirmed that their internal systems had been compromised by someone " from another country, " although no specifications were provided. After downloads of suspicious files that were infecting various banking systems had been discovered on the regulator's servers, the KNF decided to take down its entire system " in order to secure evidence. " Here's what happened: An
Source Code for another Android Banking Malware Leaked

Source Code for another Android Banking Malware Leaked

January 23, 2017Swati Khandelwal
Another bad news for Android users — Source code for another Android banking malware has been leaked online via an underground hacking forum. This newly discovered banking Trojan is designed to steal money from bank accounts of Android devices' owners by gaining administrator privileges on their smartphones. Apparently, it will attract the attention of many cyber criminals who can recompile the source code or can also use it to develop more customized and advanced variants of Android banking Trojans. According to security researchers from Russian antivirus maker Dr. Web, the malware's source code was posted online, along with the information on how to use it, meaning Android devices are most likely to receive an increasing number of cyber attacks in upcoming days. Leaked: Trojan Source Code + 'How to Use' Instructions Dr. Web researchers said they have already discovered one banking trojan in the wild developed using this leaked source code, adding that th
Exclusive Offers

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.