Skip to main content

2 year malware campaign spies on customers of major banks

Around 24 financial institutions have been affected by malware that has actively targeted users' bank accounts for more than two years.

According to research from Zscaler, the Win32/Caphaw Trojan has been monitoring its victims at banks including Barclays, Bank of Scotland, First Direct and Co-Operative as well as a number of international financial institutions.

Zscaler admitted that the infection method was not very clear, but the attacks were likely arriving as part of an exploit kit honing in on vulnerable versions of Java and that Caphaw avoids local detection by injecting itself into legitimate processes such as explorer.exe or iexplore.exe.

In terms of protecting its actions, Caphaw is able to simultaneously obfuscating its phone home traffic through the use of domain generated algorithm which created addresses using self-signed SSL certificates.

According to Zscaler's director of product Kapil Raina, after a decline in the number of attacks on financial institutions in recent years, this showed that there was a sudden rise.

"We use a behavioural analysis engine and see interesting elements, one of which is to obscure as it doesn't always appear to be malicious, as a lot of Trojans have phone home capabilities and use domain generated algorithms to create self-signed certificates and use that to encrypt traffic," he said.

Zscaler's research found that across 64 distinct samples it had collected and analysed so far, there had been 469 distinct IPs where there has been a call to a domain generated algorithm location.

In terms of protecting against this type of attack, which is similar to tactics used by other Trojans including Carberp, Ranbyus, and Tinba, Raina said that static analysis of traffic is good, but not ideal alone as behaviour and activity was important to accurately detect a threat, and specifically one which is intended to be stealthy and use encrypted channels to communicate.