Roel Schouwenberg Kaspersky Lab
Recently I had to do some research into a specific piece of banker malware. These days banker malware is extremely common. However, as the research progressed this targeted attack became more and more interesting.
In my presentation I will give an analysis of the malware package. It concerns a trojan which has functionality such as spying on the URLs the user is visiting and downloading files on command. When visiting HTTPS sites the trojan will download an HTTPS traffic logger to capture and send the captured traffic to a specific server.
The Trojan does this for a very specific reason. It allows the authors of the malicious code to more easily create a malware dedicated to a single bank - the bank the infected machine visits. Truly 'malware on demand'.
By using this approach it also becomes a lot easier for the malware authors to create banker trojans that aren't stopped by two-factor authentication. To top it all off the trojan also includes file infection functionality that is becoming popular again these days.
Note: Certain details may be obfuscated due to confidentiality concerns.
