Russian trojan spotted attacking Middle Eastern banks

Security researcher Brian Krebs has spotted a Russian-controlled botnet being used to target banks in the Middle East.

Russian trojan spotted attacking Middle Eastern banks
Russian trojan spotted attacking Middle Eastern banks

The campaign follows on from the use of the `Sandroid' malware - which is designed to look like a banking two-factor authentication (2FA) app - against banks and financial institutions in Australia.

Unlike in the UK and US, where two factor authentication (2FA) security is still in its infancy, banks in Australia, Central and Eastern Europe, and the Middle East, make extensive use of mobile phones as a 2FA security channel.

Around two years ago, cyber-criminals in India started subverting this channel by requesting a replacement SIM from the cellular networks, so gaining access to the user's mobile and authentication channel, without their knowledge. 

Today, SCMagazineUK.com notes, almost all cellcos are aware of this scam, and impose a number of security safeguards - including sending over-the-air updates to replacement SIMs - only when they have confirmed the identity of the new SIM card user. 

This appears to be why cyber-criminals have changed their tactics, and are now actively subverting Android apps with the addition of bundled malware designed to look like 2FA applications from several Middle Eastern banks - including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank. 

Krebs says that banking trojans like Sandroid create a pop-up box that asks the user to download a `security application' on their mobile phones. 

"Those apps are instead phony programs that merely intercept and then relay the victim's incoming SMS messages to the botnet master, who can then use the code along with the victim's banking username and password to log in as the victim," he says in his latest security posting. 

The security researcher claims to have traced control of the botnet swarm to a Mobile Telesystems SIM card used in Moscow. The Sandroid malware - used to infect users' Android smartphones - has been active use in Australia and now the Middle East, over the last year, he notes. 

The good news, Krebs goes on to say, is that Sandroid's signature is detected by a wide range of free and paid-for Android security software. 

Although those UK banks that use 2FA have tended to use their own authentication devices - HSBC and Barclays fall into this category, the use of 2FA using a mobile phone is a lot cheaper for banks to implement, as it saves them issuing their own tokens. 

HSBC in particular, has now started offering an Android and iOS-based `full blown' mobile banking app that uses cellular authentication channels to confirm the user. 

According to Keith Bird, UK MD of Check Point, the Sandroid trojan's methodology may not be that new, as he said it sounds very similar to the summer 2012 ‘Eurograbber' attack, which stole over €36 million (£30 million) from 30,000 customers of 30 banks in Italy, Spain, Germany and the Netherlands. 

"This used a variant of the Zitmo [Zeus in the mobile] trojan to compromise mobile banking customers' phones and intercept the SMS-based authentication used by banks," he said, adding that, from the banks' perspective, the transactions in Eurograbber appeared to be legitimate. 

"This enabled the Eurograbber thefts to continue for weeks. Attackers will always try to focus on the weakest link - which is the people using the devices - but these attacks are becoming very sophisticated in their techniques,” he explained. 

As reported at the time, online identity theft protection provider Versafe identified the Eurograbber multi-staged attack in August of 2012 and began investigating the trojan's methodology with the assistance of Check Point. 

Check Point concluded that Eurograbber initially infected a user's desktop PC. The attack then quickly compromised the mobile device, when the connection between the online account and the mobile number was established via the entry of the texted one-time passcode.