RSA warns of another round of cyber-gang controlled bank attacks coming – Project Blitzkrieg on the horizon

// October 10th, 2012 // Hacking and Security

RSA has announced that another wave of attacks on major banks is coming and rather than a DDoS style attacks we saw last week, this one is organized by a cyber-gang intent on pilfering money through a Trojan attack they have dubbed “Gozi Prinimalka”.

RSA explained:

“In one of the most interesting cases of organized cybercrime this year, a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date.”

RSA has monitored the underground forum posts and analyzed the Trojan, which they have dubbed “Gozi Prinimalka” and determined that the gang appears to originate in Russia.  According to underground chatter, the attack will use a trojan to employ a man-in-the-middle (MiTM) manual session hijacking scenario in order to initiate fraudulent wire transfers. RSA notes that banks may not become immediately aware of the attacks since their customers, not the banks themselves, will be the targets. Who is behind the proposed attack is not clear but it may be the HangUp Team.

“Gozi Prinimalka’s similarity to the Gozi Trojan, both in technical terms and its operational aspects, suggests that the HangUp Team—a group that was previously known to launch Gozi infection campaigns—or a group closely affiliated with it, may be the troupe behind this ambitious scheme.”

RSA explained the communications architecture and unique deployment method of the attack:

“Gozi Prinimalka features virtually identical bot-server communication patterns and URL trigger list, but that its deployment on infected PCs is very different. Whereas Gozi writes a single DLL file to its bots upon deployment, Prinimalka creates two files: An EXE file and a DAT file, with the latter reporting to the server the machine’s details and all the software installed on it. In addition, the registry keys and values written by Prinimalka and Gozi are completely different.”

Two notable characteristics stand out:

“A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website.”

In addition:

“Using VoIP phone-flooding software, the gang plans to prevent victim account holders from receiving the bank’s confirmation call or text message used to verify new or unusual online account transfers.”

Given that the announcement was made so publicly (which is not entirely uncommon in the underground when hackers are looking for “investors”), RSA also notes that this particular threat could be a hoax or a sting operation by Russian law enforcement.

Sources: RSA




« « Previous Article: Google Play’s new “try before you buy” announced – after trial period app auto converts to paid subscription model     » » Next Article: Halal – Iran’s parallel and private walled-off Internet may already be online and in use


Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: