Friday, June 13, 2014

Pandemiya banking malware emerges as Zeus-level threat

Researchers have uncovered a new banking malware variant that they say is notable not only for the hefty prices its authors are demanding, but also because the malware has been coded from scratch -- a dangerous oddity in the world of malware development.

In a blog post this week, RSA's FraudAction team detailed the malware finding, dubbed Pandemiya, which they said is being sold on underground malware sites for between $1,500 and $2,000 dollars, depending on the functionality a buyer desires.

Pandemiya is a typical malware banking variant in many ways. It is capable of stealing form data and login credentials, as well as enabling attackers to inject malicious webpages into the three major Web browsers to gather further information on victims.

Communications between machines infected by Pandemiya and a botnet are also encrypted, according to RSA, and the modular nature of the malware means it is "quite easy to expand and add functionality" to via DLL plug-ins -- some of which are made available for a higher price, including a reverse proxy and an FTP login stealer.

What sets Pandemiya apart is that it's not based on the Zeus source code, which was leaked online in 2011 and has since been the favorite base code for exploit authors to craft numerous variants of the infamous banking malware, including Citadel, Carberp and Zberp.