Covid-19 Impact on Banks, And fixes. The Black Swan Opportunity

Download Now

The Black Swan Opportunity | Get your bank digital ready.

IBSI Special 5 Digital Report Package with Special Offer. Subscribe now

IBS Journal: The iconic monthly FinTech magazine

May 2020 issue out now! Subscribe now

India FinTech Report 2020

Insights into the historical and projected market size of key FinTech categories. Subscribe now

Buhmat banking malware infiltrates popular Russian boxing webiste

Banking malware can be found in the strangest places, and a contender has been found in popular boxing website allboxing.ru. The site, which has more than three million visitors per month, was infected with code that redirected users to a third-party site containing an exploit and a Russian banking Trojan.

Discovered by Forcepoint Security Labs, the code was well hidden amidst the legitimate strings in the site by using the same formatting style. The author of the exploit also tried to work in a malicious script from their own site – but the injection fails if the user is browsing with Chrome or Opera. The redirected URL also uses a dash of social engineering – it includes the term “canvas” to lull suspicious boxing fans into thinking they’re headed for another site on the industry.

Sneakiest of all the author’s anti-detection methods, however, is code which analyses the user’s interaction with site and only attempts an attack if the threshold goes about 30 actions. This tactic, says Forcepoint, ensures that it doesn’t attempt to attack malware scanning and analysis programs that sweep the site for infection.

Once it’s sure the victim is human, the script attacks and downloads the Buhtrap Russian banking Trojan, a malware suite that has been active since around 2014 and managed to defraud $25.7 million in 2015. “Attackers are getting better at disguising the code they inject into compromised websites,” says Forcepoint Security Analyst Nicholas Griffin. “Websites with high volumes of traffic are a popular choice for attackers, and this is especially true if the bulk of the traffic is from a specific region of the world of interest to the attacker.”

Buhtrap, he adds, appears to be the criminal’s suite of choice following the arrest and takedown of those using the Lurk banking Trojan.

[do_widget id=text-34]

Related IBS Intelligence Research

Related Posts