ESET Uncovers Advanced Banking Trojan “Hesperbot” Misusing Android in Europe and Turkey
September 2013 by ESET
ESET HQ malware research lab has uncovered a new and effective banking trojan which targets online banking users in Europe and Asia. Using very credible-looking spreading campaigns related to trustworthy organizations it lures victims to actually run the malware. Several victims have already been robbed of financial assets because of this newly-revealed threat. Based on LiveGrid® data – ESET’s cloud-based malware collection system – hundreds of infections have been detected in Turkey, dozens in the Czech Republic, United Kingdom and Portugal. This very potent and sophisticated banking malware dubbed Hesperbot is spreading via phishing-like emails and also attempts to infect mobile devices running Android, Symbian and Blackberry.
Detected as Win32/Spy.Hesperbot, this threat features keylogger capabilities, can create desktop screenshots and video capture, and set up a remote proxy, but also includes some more advanced tricks, such as creating a hidden remote connection to the infected system. “Analysis of the threat revealed that we were dealing with a banking trojan, with similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known trojan,” says Robert Lipovsky, ESET malware researcher who leads the team analyzing this threat. “ESET products like ESET Smart Security and ESET Mobile Security protect against this malware,” he adds.
The attackers aim to obtain login credentials giving them access to the victim’s bank account and getting them to install a mobile component of the malware on their Symbian, Blackberry or Android phone.
The Czech malware campaign started on August 8, 2013. The perpetrators have registered the domain www.ceskaposta.net, which is very close to the actual website of the Czech Postal Service. “It’s probably not surprising that the attackers tried to lure potential victims to open the malware by sending phish-like emails resembling parcel tracking information from the Postal Service. This technique has been used many times before,” says Lipovsky. The Czech Postal Service responded very quickly by issuing a warning about the scam on their website.
Nevertheless, a country most affected by this banking trojan is Turkey, with Hesperbot detections there dated even earlier than August 8. Recent peaks in botnet activity were observed in Turkey in July 2013, but ESET has also found older samples that go back at least to April 2013. The phishing e-mail that was sent to potential victims purported to be an invoice. A variant of the malware has also been found in the wild designated to target computer users in Portugal and the United Kingdom.