Bugat is New Malware of ChoiceCyber Criminals Branching Out from Zeus to Other Trojans
This move is important to watch say researchers who point to the emergence of Bugat as an attempt by cyber criminals to diversify their attack tools, using a platform that is similar to Zeus, but harder to detect.
While Zeus, Clampi and Gozi may be better known malware, Bugat's attack is similar, says Jason Milletary, SecureWorks' technical director for malware analysis, Bugat can function as a SOCKS proxy server, upload files from the infected computer to a remote server or download and execute programs.
How Bugat WorksThe Bugat Trojan communicates with a command and control server from where it receives instructions and updates to the list of financial websites it targets. This communication can be encrypted in order to thwart traffic inspection tools.
Malware researchers at Trusteer say the new version of the Bugat malware is used to commit online fraud. This version targets Internet Explorer and Firefox browsers and harvests information during online banking sessions. The stolen online banking credentials are used to commit fraudulent ACH and wire transfer transactions mostly against small to midsized businesses, which result in high-value losses. Bugat is three times more common in the US than Europe, but its distribution is still fairly low.
Cyber criminals sent emails to LinkedIn users in last week's attack reminding them of pending messages in their account and inserted a malicious link. When a victim clicked on the link they were directed to a fraudulent website where a java applet downloaded and installed the Bugat executable.
Malware DistributionCriminals are stepping up their malware distribution efforts by continuously updating configurations of well known malware such as Zeus, and using new versions of less common Trojans like Bugat, to avoid detection, says Mickey Boodaei, Trusteer's CEO. He says the industry is in an arms race with criminals.
"Although Zeus gets a lot of attention from law enforcement, banks and the security industry, we need to be vigilant against new forms of financial malware like Bugat and SpyEye which are just as deadly and quietly expanding their footprint across the internet," Boodaei says.
These expanding footprints create many other attack vectors that enable the cyber criminals to get into online bank accounts and money transfers that don't use Zeus, says Avivah Litan, a security analyst at Gartner. One example she points to is the relatively new piece of malware called Spyeye. Litan says it is a "landmark infection that doesn't require administrative privileges on the PC and it does its work in just a couple of hours. It's a hit-and-run type of attack."
Boodaei warns that recent industry focus on Zeus makes it easier for other Trojans such as Bugat, SpyEye and Carberp which are less wide spread but equally sophisticated. Carberp currently targets nine banks in the United States, Denmark, The Netherlands, Germany and Israel.