Financial malware 'i2Ninja' being sold on Russian cyber crime forum

Share this article:

Although it has yet to be discovered in the wild, researchers have uncovered a sneaky piece of financial malware, known as i2Ninja, being sold on a Russian cyber crime forum.

The peer-to-peer trojan – which can be used to steal credit card and other financial information – is likely to infect systems via drive-by infection, fake advertisements and bogus links, Etay Maor, fraud prevention solutions manager at Trusteer, told SCMagazine.com on Wednesday. He added that specific targets may also be infected through spear phishing.

“While the malware offers different HTML injection capabilities [targeting poker sites and grabbing email], it will also soon offer a virtual network computing (VNC) module just like all other major malware families,” Maor said, using trojan variants such as Zeus, Citadel and SpyEye as examples. “Once a VNC capable malware infects a device, the attacker's options are almost limitless.”

The i2Ninja malware takes its name from I2P, a layer of networking similar to Tor that uses cryptography to provide secure communications. Maor said I2P is a “true Darknet” that offers better protection than Tor, and explained how the added security layer makes it more difficult to research and understand the malware's infrastructure and capabilities.

However, Maor said he still thinks it is only a matter of time before the I2P encryption is broken – similar to how the FBI made a big arrest on Tor in August by exploiting a Firefox vulnerability – and added that the attackers using i2Ninja likely understand this, as well.

It is unclear just how much of a threat i2Ninja represents right now, Maor said, but the malware seems to be in high demand.

“The cyber criminal offering the malware in the underground indicated he has enough business due to the malware's underground publicity and indicated he cannot handle more requests to buy the malware,” Maor said. “The cyber criminal who posted the information regarding i2Ninja is a known and credible forum member.”

Although Trusteer researchers are still investigating i2Ninja, Maor advises using software capable of identifying such malware on the endpoint, combined with web-based solutions capable of identifying incoming infected devices and correlating high risk events to defend against it.

Share this article:

Sign up to our newsletters

More in News

Op Emmental spoofs bank sites, uses Android malware to maintain account access

Op Emmental spoofs bank sites, uses Android malware ...

On Tuesday, Trend Micro released a report detailing Operation Emmental, which targets victims in Austria, Switzerland, Sweden and Japan.

Goodwill investigates compromise of credit, debit card info

Credit card and debit card data may have been compromised at several Goodwill locations around the country.

Vice.com hacked, possibly The Wall Street Journal website too

Vice.com hacked, possibly The Wall Street Journal website ...

A reported Russian hacker group known as W0rm tweeted on Monday that it had hacked Vice.com and The Wall Street Journal website.