Banking Blitzkrieg: Still a ThreatMcAfee Says Prinimalka Trojan Attacks Quietly Continuing
Although a coordinated blitzkrieg-like malware attack expected to strike 30 U.S. banking institutions this spring has so far apparently failed to materialize, one security expert says banks should nevertheless remain vigilant in their detection and defenses.
See Also: Beginners Guide to Observability
Sherstobitoff says attacks against U.S. banks using Gozi Prinimalka, the Trojan behind the planned blitzkrieg, are quietly continuing, with the most recent infection discovered April 4.
Now the concern is that attacks tied to Blitzkrieg will go undetected because banking institutions are distracted by ongoing distributed-denial-of-service attacks waged against them by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters, he says.
Banking institutions must guard against ignoring the threat that Gozi Prinimalka poses, Sherstobitoff says. As DDoS attacks strike, fraudsters not related to the hacktivists could take advantage of distracted and strained IT and security systems and departments, he warns.
"The last variant of Gozi Prinimalka we saw in the wild that was new was in December 2012," Sherstobitoff says. "But they can take Prinimalka and just repackage it, which means it can get by existing anti-virus systems undetected."
With a simple modification of Prinimalka's binary code, the Trojan becomes an unknown sample to most anti-virus software, he says. So banking institutions need remain vigilant, keep anti-virus software up-to-date and know that Project Blitzkrieg is an ongoing campaign.
"I don't think they're going to launch it in that exact format, which was advertised in the fall, with a massive attack against banks," Sherstobitoff says. "I think there has been and will be a more silent execution of attacks."
Updates about the attacks and the campaign to recruit botmasters are no longer appearing in underground forums, he says. Researchers at RSA also said they had not seen any new information about the blitzkrieg campaign. But since McAfee's systems are continuing to track incidents, Sherstobitoff knows the absence of posts in forums is not an indication that the attacks have stopped.
Spring 2013 Attacks
On Oct. 4, 2012, RSA discovered a new type of malware that closely resembled the legacy man-in-the-middle Trojan known as Gozi. The new Trojan, aimed at 30 U.S. banking institutions, would give hackers the ability to manually set up fraudulent wire transfers in real time, RSA said.
RSA also noted that 100 botmasters were being recruited to help carry out the coordinated attack.
But as time went on, some experts questioned the attack, as well as the motives of its coordinator, a hacker known as vorVzakone, namely because of his public and open recruitment of botmasters, Sherstobitoff told BankInfoSecurity in December.
McAfee, RSA and other security firms, including Trend Micro, subsequently confirmed the legitimacy of the attack. In mid-October, Trend Micro named 26 U.S. institutions it had identified as targets, based on configurations contained in Gozi Prinimalka's code.
Sherstobitoff at time said the arrests could prove damaging to Blitzkrieg. But ongoing research suggests Gozi Prinimalka attacks linked to Blitzkrieg are alive and well, he now says.
The McAfee researcher will not reveal which banking institutions have been affected by the Trojan so far or how many of those have suffered losses tied to the attacks. But he warns the attacks are continuing.
"We are set up to look for new Prinimalka campaigns, and the telemetry is showing that the most recent infection was just a week ago," he says.
The greatest fear now is that Blitzkrieg attacks are piggy-backing on the DDoS attacks, Sherstobitoff says.
"They could be attacking and hiding in the shadows," he says. "From a conservative figure, we found 500 [PCs] infected [with Prinimalka], but other research suggests it's more like tens of thousands infected. Why would vorVzakone just disappear and give up a successful campaign? There are more attacks going on, They're just more silent, selectively infecting people over a longer period of time."