Cyber Gang Seeks Botmasters to Wage Massive Wave of Trojan Attacks Against U.S. Banks

In one of the most interesting cases of organized cybercrime this year, a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date.

Whitehats vs. Blackhats: Techniques of the Cybercrime Elite Trickle Down to the Public Domain

Advances made in the cybercrime world over the past year prove that the trickle-down effect does not only apply to tablet computers and space tourism. Rather, much like real world products, techniques that were once reserved for the cybercrime elite have trickled down to the public domain, bestowing low-skilled botmasters with the same research-thwarting tools that not too long ago were used solely by malware experts.


Citadel started as a Zeus v2 Trojan, deployed and tweaked by a crime gang using it for their own banking fraud operations, however once Citadel was released into the Russian-speaking underground in January 2012, it took on a life of its own being supported by a skillful, relentless development team.

Life Grabbers and LinkedIn Passwords

The recent LinkedIn accounts compromise in which 6.5 million password hashes were published in the Russian hacker community grabbed a lot of media attention. In a hellish period of publicly known breaches that hit the front page news, with perimeter security defenses failing left and right in any possible vertical and geography, this incident stirs some deeper emotions than usual. It seems to be a bit more worrying. It’s personal. I bet that every reader here has a LinkedIn account (raise your hand of you don’t). Certainly every journalist reading this has one.

Eternal Flame

The Eternal Flame is something you’ll probably recognize as the ever burning fire in ancient Greece; but in fact it has deeper roots in the Middle East. The first records of such custom are, interestingly enough, set in ancient Iran and Israel. The security industry’s skies are now alight with Flame, the latest discovery in [...]

The eDead Trojan: A Synopsis of Geo-Targeted Spyware

While RSA FraudAction Research Labs does not usually focus on pure-play spyware, over the past year, the Lab has repeatedly detected and handled strains of malware called the eDead Trojan. This highly-targeted spyware code was developed for the sole purpose of collecting keyword search combinations entered by infected victims who visit online banking, retail, webmail and web portal websites, primarily in Japan and Korea.

Gone Phishing and Mining! Phishers leverage Web Analytics to Refine Attacks

Phishers, botmasters and underground vendors are increasingly adapting business models and tools for their nefarious ventures. Botmasters are creating and selling blacklists to ward off research and shutdown attempts by infosec experts and law enforcement. Underground vendors transact with buyers using in-house or publicly available escrow services, and crimeware coders offer user manuals and responsive, multi-lingual customer support. Offering Trojans as FaaS, Citadel’s coders are likely the first to sell monthly subscription plans to guarantee their customer base periodic builder updates and bug fixes, and supposedly ensure ongoing, seamless development and improvement of their Trojan kit.

By Hook and by Crook – Citadel Trojan Isolates Bots from AV and Security

One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature the developers have apparently implemented: DNS Redirection. Per the feature list, the developer claims that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.