New malware written from scratch is quite rare to find online or in the underground. Aside from private ventures, source code for the most popular Trojans can be found online, including those of Zeus, Citadel, Carberp, and more. This makes it easy for attackers to grab their desired malware and get started.
While source code for popular malwares’ can be found on various corners of the internet, finding newly developed malware and banking Trojans is quite rare. The RSA Security FradAction team released a press report on newly uncovered banking Trojan named, Pandemiya, that is begin promoted on forums as an alternative to the Zeus Trojan and its counterparts.
Pandemiya is begin sold for $1,500 for the core banking Trojan itself, and $2,000 for the core banking Trojan plus additional add-ons to enhance functionality. The Trojan was built with a modular design, meaning it can be enhanced with additional external plugins, which in turn could lead to malicious hackers implementing additional features themselves by writing new DLL’s.
The RSA Security FradAction team said the author has spent over a year developing the Pandemiya Trojan, which contains 25,000 lines of original code written in C. The RSA reported the malware as begin unique as it is not based off of any previous malware sources such as Zeus.
Whether or not original Trojans will gain traction is unknown but, the malware comes in light of the recent takedown of the GameOver Zeus botnet. GameOver Zeus was a well known peer-to-peer based botnet that was reported to have also spread the CryptoLocker ransomware. While Pandemiya has no connection to GameOver Zeus or its takedown, those malwares are well known to security researchers and their detection tools.
Pandemiya is reported to contain a number of core features that common banking Trojans utilize, such features include, web injects, form-grabbers, file grabbers, loader and digitally signed files to bypass detection, and a number of other features. Communications with the command-and-control (C&C) panel is also encrypted.
When upgrading from the $1500 package to the $2000 package, additional plug-ins include a reverse proxy, FTP stealer, and a portable executable (PE) infector to inject malware at startup. Current plugins in development that are rumored to be released include a reverse hidden RDP, and a Facebook spreader, which could be used to hijack others Facebook credentials to spam the Trojan, making it go viral.
A number of Trojans today use social networks to spread malware, as in the past instant messaging services were prime targets, now Trojans can spread as a ‘friend’ may share an infected link. Uri Fleyder, the cybercrime research lab manager at RSA told researchers that spreading the malware on social networks is “ a classic example of social engineering.”
Pandemiya is begin spread using exploit kits, infected computers via drive-by attacks. The malware includes hooks for a number of running processes that are used in order to steal browser traffic, HTTP form data, and credentials. Pandemiya is able to take screenshots and conduct a file search while compressing data to steal victims files.
Only time will tell is Pandemiya will take over other popular banking Trojans.