Hesperbot – a new improved banking Trojan

Posted: September 6, 2013 in IT Security News
Tags: , , , ,

ESET LogoResearchers has discovered ‘Zeus-like Trojan‘.

ESET’s researchers has discovered a new effective web banking Trojan – Hesperbot (Win32/Spy.Hesperbot), whose activities are aimed at users from Turkey, the Czech Republic, Portugal and UK.

Malicious software can capture keystrokes, take screenshots with the user’s screen , record video , and configure proxy and create a hidden VNC- server on the infected system.

Hesperbot spreads by sending out phishing emails and often tries to infect mobile devices that operate on the basis of Android, Symbian and Blackberry. Experts notes – the functionality of the new malware is reminiscent of another well-known banking Trojan – Zeus.

The configuration files used by the trojan to intercept HTTP and modules for the injection point to the sites of banks , which will be targeted to a specific botnet. The image shows the list of Czech banks portals.

Czech banks

Hesperbot injected

Hesperbot injected into Portuguese bank website

Analysis of the threat revealed that we were dealing with a banking trojan, with similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known trojan.

“Like many other malware families, Hesperbot has a modular architecture. After downloading the files from phishing emails to the user’s system start – dropper component , which is distributed in ZIP-archive” – say in ESET. The main objective of dropper – to insert the “core” of malware in explorer.exe. Subsequently, the kernel loads and runs additional modules for the implementation of various malicious actions on the victim’s system.

Compilation timestamp

Czech campaign – Compilation timestamp of malware

ESET’s researchers have not yet established the exact number of users affected by Hesperbot.

Hesperbot statistics

Hesperbot statistics

Detail ESET’s report can be found here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s