Surge in 'Viknok' infections bolsters click fraud campaign

Share this article:
The social engineering scam delivers malware via anti-virus program updates.
Researchers detected over 16,500 Viknok infections in the first week of May alone.

A trojan called “Viknok,” which targets Windows users' online banking credentials, is currently being used to further click fraud scams, researchers found.

First detected in April 2013, Viknok has now been attributed to over 16,500 infections that occurred in the first week of May, alone. On Thursday, Andrea Lelli, a researcher at Symantec, revealed in a blog post that scammers had increasingly leveraged the trojan over the past six months, though an actual “spike” in infections was detected last month when 22,000 infections occurred.

Lelli added that the majority of victims struck in early May were in the U.S.

According to Lelli, the trojan targets DLL [dynamic link library] files with a malicious payload and has "evolved into a sophisticated threat capable of obtaining elevated operating system privileges," in order to infect files on multiple Windows platforms, including the 32 and 64-bit versions of Windows XP, Vista and 7.

Once the trojan infects users, attackers use the malware to bolster click fraud campaigns where users are unknowingly redirected to ads. Symantec noted that some victims heard “random audio playback through their compromised computers,” due to various ads that played in the background.  

Of note, Viknok uses a number of tricks to silently infect core system files, Lelli wrote, but the “most powerful” technique entails exploitation of a Windows privilege escalation vulnerability (CVE-2013-3600). This exploit allows Viknok to run code in kernel mode, she explained.

“The threat's purpose is to infect the file rpcss.dll, so that the malicious code is executed every time Windows starts,” Lelli wrote. “The infection of this file merely provides a loader for the core of the malware itself, which is usually stored in an encrypted file in the %System% folder.”

Infected rpcss.dll system files go on to download “Vikadclick,” another Windows trojan that performs malicious activities allowing click fraud.

On Thursday, Satnam Narang, a security response manager at Symantec, told SCMagazine.com in an interview that researchers are still investigating how saboteurs delivered Viknok to users' computers.

In his expert opinion, however, scammers often deliver such threats via exploit kits which take advantage of users running vulnerable software.

“I think it's probably an exploit kit delivering [Viknok] through a downloader,” Narang said. “Typically we see that, but we are still investigating.”

As Viknok targets multiple Windows platforms, Satnam advised users to keep their systems updated with the latest patches to avoid infection. He also recommended that users implement security software that can protect and repair targeted files.

Share this article:

Sign up to our newsletters

More in News

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.

Six charged in global StubHub scheme, company defrauded out of $1 million

Six charged in global StubHub scheme, company defrauded ...

Manhattan DA Cyrus Vance announced on Monday that six individuals are charged for their roles in a global scheme that defrauded StubHub out of $1 million.