Tag: bank

Backswap malware analysis

Date of publication: 19/06/2018, Hubert Barc

    Backswap is a banker, which we first observed around March 2018. It’s a variant of old, well-known malware TinBa (which stands for “tiny banker”). As the name suggests, it’s main characteristic is small size (very often in the 10-50kB range). In the summary, we present reasoning for assuming it’s the same malware.
    Read more

    Ostap malware analysis (Backswap dropper)

    Date of publication: 01/06/2018, Paweł Srokosz

      Malicious scripts, distributed via spam e-mails, have been getting more complex for some time. Usually, if you got an e-mail with .js attachment, you could safely assume it’s just a simple dropper, which is limited to downloading and executing malware. Unfortunately, there is a growing number of campaigns these days, where script doesn’t exit after downloading sample. Instead of ending its life – it remains active, waiting for additional commands or more samples to fetch. Some of the examples are: vjw0rm used in Vortex ransomware campaigns and Ostap – the main protagonist of our story.

      This article is an introduction to Backswap malware analysis, which is a second-stage malware downloaded by Ostap. Our analysis of Backswap malware will be published soon!

      Read more

      A look on the VBKlip “battlefield”

      Date of publication: 29/05/2014, CERT Polska

      loveletter1On multiple occasions we informed about a new threat to Polish online banking users, which we named VBKlip. This is a new kind of malware that substitutes the bank account number that has been copied to the clipboard. This works when we try to, e.g. pay a bill, and we copy the bank account number to paste it to the online banking wire transfer page. Instead of paying the bill we send that money to the attacker. In this article, we publish a detailed analysis of this threat. We consider it a serious threat, because we constantly receive reports from users that they have been infected with it and their money has been stolen.

      Read more

      Large-scale DNS redirection on home routers for financial theft

      Date of publication: 06/02/2014, CERT Polska


      In late 2013 CERT Polska received confirmed reports about modifications in e-banking websites observed on… iPhones. Users were presented with messages about alleged changes in account numbers that required confirmation with mTANs. This behavior would suggest that some Zeus-like trojan had been ported to iOS. As this would be the first confirmed case of such malware targeting the platform, and at the same time it targeted Polish e-banking users, it immediately attracted our attention. Internally we have come up with several scenarios of how it might have happened, but unfortunately were not able to gather enough first-hand data about the case to rule out any options.Read more

      How to identify and remove the VBKlip malware?

      Date of publication: 31/10/2013, CERT Polska


      In our previous article we described a new VB malware, named VBKlip by us, that was replacing a Bank Account Number that was copied to the Windows clipboard. In order to check whether your computer is infected you have to just simply copy a correct Bank Account Number (e.g.

      <span class="text">12 1234 1234 1234 1234 1234 1234</span>

      ) and paste it into the text editor (e.g. Microsoft Word or Notepad) and compare the pasted number with the copied one. If they are different then your machine is most probably infected with the described malware strain.
      Read more

      New VB malware that changes bank account number when copying from clipboard

      Date of publication: 22/10/2013, CERT Polska


      At the start of October we started receiving reports of propagation of a new strain of unusual malware. This malware was dedicated for Polish online banking users and implemented a technique new to our market. We received a sample of this malicious software, written in Visual Basic 6. It used a fairly simple mechanism in order to steal money: whenever a user copied a text that contained a bank account number to the clipboard it switched that account number to a new one. This account was of course controlled by the cybercriminals.
      Read more