Last-minute paper: Hassle with Hesperbot: a new, sophisticated and very active banking trojan

Robert Lipovsky ESET
Anton Cherepanov ESET

In the middle of August 2013 we discovered a trojan horse that was hosted on a domain that passed itself off as belonging to the Czech Postal Service. Looking further into this discovery, we found out that this was a new banking trojan targeting potential victims in the Czech Republic through active malware-spreading campaigns. Later in our research we found similar campaigns and, as a result, active botnets in Turkey and Portugal as well. The perpetrators of the botnets most certainly knew what they were doing and also utilized malicious components designed for mobile phones.

What we found lurking behind the malicious links was not the ubiquitous Zeus or SpyEye however, but a new malware family, which we named Win32/Spy.Hesperbot. Analysis of the threat revealed that we were dealing with a very potent banking trojan which features common functionalities, such as keystroke logging, creation of screenshots and video capture, and setting up a remote proxy, but which also includes some more advanced tricks, such as creating a hidden VNC server on the infected system. And of course the banking trojan feature list wouldn't be complete without network traffic interception and HTML injection capabilities. Win32/Spy.Hesperbot does all this in quite a sophisticated manner and also utilizes the mobile components for Android, Symbian and Blackberry to overcome banks' security through mobile transaction authentication numbers.

The malware implements a unique technique for carrying out man-in-the-middle attacks against users connecting to their secured online banking websites. This will be described in detail in the presentation. A similar technique was used by the Gataka banking trojan (presented at VB2012 by Jean-Ian Boutin). We will compare and contrast these two dangerous cybercrime tools.

We'll also explain the modus operandi of the scams and give details on the different campaigns that we've discovered. After a higher-level perspective on the functioning of the malware and motives of the attackers, we'll take a deeper look at some of the more sophisticated code that makes Win32/Spy.Hesperbot stand out, including its mobile components.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.