September 5, 2013 | Bratislava

ESET Uncovers Advanced Banking Trojan “Hesperbot” Misusing Android in Europe and Turkey

ESET HQ malware research lab has uncovered a new and effective banking trojan which targets online banking users in Europe and Asia. Using very credible-looking spreading campaigns related to trustworthy organizations it lures victims to actually run the malware. Several victims have already been robbed of financial assets because of this newly-revealed threat. Based on LiveGrid® data – ESET’s cloud-based malware collection system – hundreds of infections have been detected in Turkey, dozens in the Czech Republic, United Kingdom and Portugal. This very potent and sophisticated banking malware dubbed Hesperbot is spreading via phishing-like emails and also attempts to infect mobile devices running Android, Symbian and Blackberry.

Screenshot of Android component - Android/Spy.Hesperbot.A
Detected as Win32/Spy.Hesperbot, this threat features keylogger capabilities, can create desktop screenshots and video capture, and set up a remote proxy, but also includes some more advanced tricks, such as creating a hidden remote connection to the infected system.


“Analysis of the threat revealed that we were dealing with a banking trojan, with similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known trojan. ESET products like ESET Smart Security and ESET Mobile Security protect against this malware,”
says Robert Lipovsky, ESET malware researcher who leads the team analyzing this threat.


The attackers aim to obtain login credentials giving them access to the victim’s bank account and getting them to install a mobile component of the malware on their Symbian, Blackberry or Android phone. 

The Czech malware campaign started on August 8, 2013. The perpetrators have registered the domain www.ceskaposta.net.


“It’s probably not surprising that the attackers tried to lure potential victims to open the malware by sending phish-like emails resembling parcel tracking information from the Postal Service. This technique has been used many times before,”
says Lipovsky.


The Czech Postal Service responded very quickly by issuing a warning about the scam on their website.

Nevertheless, a country most affected by this banking trojan is Turkey, with Hesperbot detections there dated even earlier than August 8. Recent peaks in botnet activity were observed in Turkey in July 2013, but ESET has also found older samples that go back at least  to April 2013. The phishing e-mail that was sent to potential victims purported to be an invoice. A variant of the malware has also been found in the wild designated to target computer users in Portugal and the United Kingdom. 


More detailed analysis of this malware is available in blogpost Hesperbot – A New, Advanced Banking Trojan in the Wild that can be found at WeLiveSecurity.com - ESET’s news platform with the latest information and analysis on cyber threats and useful security tips. On WeLiveSecurity.com you will later find follow-up posts and white paper about Hesperbot malware

 



About ESET

ESET®, the pioneer of proactive protection and the maker of the award-winning NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 25 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32® Antivirus holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET’s NOD32® technology holds the longest consecutive string of the VB100 awards of any other AV vendor. ESET has received a number of accolades from AV-Comparatives, AV-TEST and other organizations. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET® has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries.