Banking Trojan Exposed By Researchers

Researchers at Finjan are shining a light on a sneaky banking Trojan behind the theft of roughly $439,000 (300,000 euros) from German bank accounts over a 22-day period.

Dubbed URLZone, the Trojan served as a digital lock pick for a sophisticated cyber-gang Finjan tracked from 11 Aug to 1 Sept. Unlike many typical banking Trojans, URLZone goes beyond tricking victims into coughing up their banking credentials by inserting text boxes into online banking applications. It calls back to its C&C (command and control) server for instructions on how much money to steal without causing suspicion at the bank, and to which money mule account to send the money

The URLZone Trojan also alters the victim’s on-screen bank account statements in an effort to cover its tracks.

“In this case, the specific criteria that the Trojan received from its command and control center mark a whole new level of cyber-crime sophistication in the techniques used by cyber-criminals,” Yuval Ben-Itzhak, CTO of Finjan, said in a statement Sept. 30. “Using these methods they successfully evade anti-fraud systems that banks deploy—we dubbed it the ‘anti-anti-fraud.'”

The cyber-gang used the well-known LuckySpoilt crimeware tool kit to exploit victims’ browsers and install the Trojan on their PCs. The gang did this via both malicious and compromised Websites, ultimately attracting roughly 96,000 visitors. Of those, researchers found that 6,400 were infected. Once URLZone is on a system, it logs credentials and activities of bank accounts, steals money from the compromised accounts and hides its activity in the report screen of the compromised account in real time.

“To avoid warning signs by anti-fraud systems at the bank, the money mule accounts are only used … a limited number of times within a certain time frame,” said the Finjan statement. “Since banks monitor large bank transfers, the amount of money deposited in a money mule account is predefined in order to stay under the radar.”

Communication between the Trojan and the C&C server was conducted over HTTP, with the data being XOR-encrypted. Law enforcement took down the servers after being notified of the scam by Finjan, but the Trojan tool kits remain in circulation in the cyber-underground.

“To avoid detection, cyber-criminals continue to improve their methodologies for stealing money and going under the radar from the victims and banks alike,” Ben-Itzhak said. “With the combination of using sophisticated Trojans for the theft and money mules to transfer stolen money to their accounts, they minimize their chances of being detected.”