1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Bancorkut Activity 3

System Infected: W32.Bancorkut Activity 3

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detect infostealer Cosmicduke activity

Additional Information

The main functionality of the threat is to steal as much information as possible and upload them to a remote C2 server.
The malware can steal confidential information from (username/password):
- Skype
- Google Talk
- MSN Messenger
- Browsers (eg.: Chrome, Firefox, Internet Explorer)
- Email clients (eg.: Thunderbird, Outlook, Outlook Express)

Moreover it searches hard drives and network drives for files that matches:
*.doc;*.xps;*.xls;*.ppt;*.pps;*.wps;*.wpd;*.ods;*.odt;*.lwp;*.jtd;*.pdf;*.zip;*.rar;*.docx;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*;*login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg*;*.url;*.exe;*.dll;*.tmp;*.obj;*.ocx;*.js

It might also be able to steal clipboard data.


The threat then connect to 5.45.66.134 via FTP/HTTP in order to steal data.

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube