Malware Update: Boleto, RATs and CosmicDuke
7 · JUL ·2014
At Fluidata we strive to create innovative solutions that protect businesses from the constant threat of cybercrime and malware. Keeping up with the different types of malware that are created on a daily basis can often be difficult for cybercrime specialists, as the sheer volume and complexity of malware means they are often difficult to spot until it’s too late. In fact, just this week we have witnessed reports of three new pieces of malware that are affecting both businesses and individual users. Here, we look at all three in further detail:
In Brazil, Boleto Bancario is the second largest online payment method, with almost eighteen per cent of all online purchases in Brazil in 2012 being done so using this software. This is why it is estimated that a new piece of malware – currently known only as the ‘Boleto malware’ – has stolen a record-breaking $3.75 billion from up to 495,753 transactions. In April 2013 an individual sent a concerned message to the Brazilian cybercrime blog Linha Defensivia (the ‘Defensive Line’) stating that after uploading a Boleto the money had failed to enter his account. It was at this point that experts from the blog inspected the issue and found that the user’s computer had been infected with a piece of malware specifically designed to redirect Boleto payments into third-party bank accounts.
It is estimated that around 192,227 PCs are currently infected with the Boleto malware and that most of these users are completely unaware. The malware is a ‘man-in-the-browser’ threat, which is downloaded to a PC once a user clicks on a malicious link embedded in an email or web page. After the malware has downloaded, it then hides in users’ browsers and provides information concerning Boleto payments to cybercriminals. British blogger and computer security analyst Graham Cluley said: "Sadly Brazilian computers aren't always necessarily running the very latest anti-virus software, and because Boletos aren't used outside of Brazil it might have made security companies less vigilant about the threat."
Cybercriminals are not just targeting PCs when it comes to malware, as shown by the remote access Trojan (RAT) com.II. This new piece of software targets Android software on mobile phones in order to access mobile banking details. The malware currently disguises itself as a ‘Google Services Framework’ update, which when downloaded disables the uninstall option, replaces banking Apps with counterfeit versions and steals information such as SMS messages and contact lists.
Paco Hope, principle consultant with Cigital, said: “Malware of this nature also highlights the role the app store plays in securing a device. Users who accept apps from sources other than the official stores run a much higher risk of installing malware. For all their faults, the official Google and Apple stores play a significant role in protecting the average user from malware. The dangers of third-party app sources are very real.”
While there have currently been no reports of any government systems being compromised by CosmicDuke, there have been warnings that the code has been spotted and could compromise the North Atlantic Treaty Organisation’s (NATO) and European governments’ IT systems. CosmicDuke’s predecessor, MiniDuke, was first spotted over eighteen months ago, however this new version has been combined with a second piece of darkware named Cosmu. This complex piece of malware has previously been used to acquire sensitive information from government bodies, and now experts are concerned that a new attack may be on the horizon.
However, even though CosmicDuke is an elaborate piece of malware, experts have stated that businesses and government departments can protect themselves by not clicking on, or downloading, attachments in emails as well as installing advanced anti-spam software such as xspaminate. Michael Sutton, VP of security research with Zscaler, said: "Firstly, all binary files should be interrogated before permitted to be downloaded and it is important to use techniques beyond antivirus that don't rely in signatures, such as behavioural analysis. Secondly, executable files should not be permitted for download by end users, especially without also being thoroughly analysed for the presence of malware."