Belgian security researcher Xavier Mertens has discovered a piece of a banking malware campaign that appears to target customers of various U.K. banks.
The malware was found uploaded to VirusTotal, a popular malware sharing site, where many people upload the malware they come across. It is also commonly used by malware authors themselves, typically to determine whether a piece of malware is detected.
Though cybercrime is very much a global phenomenon, this kind of regional or national targeting is very common. It also highlights the importance for financial institutions to share threat data with each other: it is very common for the same threats to target many of them at the same time, especially if they operate in the same country or region.
The malware performs many common tasks, such as obtaining information on the infected system and downloading the final payload from an external source, as well as taking screenshots of the machine. What is most interesting though is that the malware is looking for domains used by most major U.K. banks in consumers' DNS cache.
This DNS cache contains domains recently queried by the computer; in practice these are likely websites the user has visited. In the case of domains belonging to banks, a user who has recently visited that website likely is a customer of the bank.
This captured data is exfiltrated and it is likely that the final payload, which would typically be malware targeting a specific online banking system, would depend on the bank the user appeared to be using: HSBC users could receive a slightly different payload than those using Barclays, for example.
There have been some suggestions that the final payload would be Ramnit, a popular banking trojan that has targeted UK banks in the past. Ramnit has targeted banks in other countries too; the fact that this malware only included domains of UK banks suggests that this was intended to be used in a campaign specifically aimed at users in the UK.
Writing about the malware, Mertens said it was interesting that the file was also uploaded from the U.K. itself. Though the lack of obfuscation used in the malware suggests it may have been in development, and though it is not impossible that the authors uploaded it from the U.K., this does suggest it was actually found in the wild.
"Some pieces of the puzzle are missing," Mertens wrote. "I don’t know how the script was dropped on the target."
At the time it was uploaded, no anti-virus product had signatures for the sample, Mertens wrote. This doesn’t mean it would have been blocked, but it does suggest it wasn’t widely used at the time.