On January 23, CERT Polska posted a blog describing a piece of minimalist banking malware targeting Polish citizens. The hashes of several samples of the malware were also listed in the blog. Symantec subsequently broke out a new name for this malware, calling it Trojan.Banclip. Using Symantec telemetry it’s possible to understand more about the distribution of this malware, and what else the attackers responsible for the malware may be up to. It is also an opportunity to clear up some misconceptions about malware scanning services.
Symantec recorded a variant of Trojan.Banclip being downloaded from a Polish website, zeus[REMOVED].cba.pl, on January 14, 2014. At least six more malware samples were downloaded from this website over time. The graph below shows the number of detections per day of the distributed malware.
Figure. zeus[REMOVED].cba.pl infections per day
In the six samples identified, there were several other variants of Trojan.Banclip, as well as a copy of W32.Shadresrat (aka BlackShades). W32.Shadresrat is a RAT that is ‘for sale’ and offers an attacker complete control over a victim’s computer. The W32.Shadesrat samples downloaded from zeus-[REMOVED].cba.pl also used zeus-[REMOVED].cba.pl as the command-and-control server. This dual use implies that the person responsible for distributing the malware is the same person responsible for using it to attack victims’ computers. It is likely that the other malware, including Trojan.Banclip, are distributed and utilized by the same attacker. This theory is supported because the observed targets for both malware are primarily Polish.
The following samples were identified as being downloaded from the malicious server:
When referring to the malware on their blog, CERT Polska indicated that it appeared to be poorly detected. This conclusion was based on the scan results from VirusTotal. Although it’s understandable to use VirusTotal as a test, the results may not be as clear cut as they appear.
In this particular case, the Trojan.Banclip files were actually detected and customers were protected from them. They were detected by Symantec’s Reputation technology, under the detection name of Suspicious.Cloud.2 or Suspicious.Cloud.9, during the time frame shown in the figure above. The Reputation technology uses a number of different variables, including the reputation of the website a file is downloaded from, to detect malware, and because of this it’s not always possible to replicate it with a basic scan of the file.
There are also other detection technologies in Symantec products to detect malware when it runs, or when it makes network connections. These all help to protect a user, but such systems are not reflected in the output of a simple scan. It’s important that customers enable these advanced features to be fully protected.