Researchers believe that a fraud scheme to launch malware against customers at 30 U.S. banks is still moving forward, though organizers behind the plot are laying low before they strike next spring.
The findings from McAfee also disclosed new information about an earlier Gozi Prinimalka campaign, between March and April of this year, when attackers infected at least 500 individuals throughout the United States with the trojan. The company also discovered that the group would be ready to strike as early as next spring.
Gozi Prinimalka, which enables fraudsters to initiate unauthorized wire transfers on their behalf by hijacking live banking sessions, has been updated by developers over the years to carry out the same malicious tricks as widespread banking trojans Zeus and SpyEye.
Limor Kessem, an intelligence expert at RSA's FraudAction Research Lab, told SCMagazine.com on Thursday that the major difference between Prinimalka, introduced in 2008, and major players like Zeus and SpyEye, was that the latter are available commercially on underground markets. Prinimalka is sold privately.
“We have really analyzed and reverse-engineered Gozi since around 2010,” Kessem said. “We saw that it's added a lot of features that we know from Zeus and SpyEye – for instance, man-in-the-browser automated capabilities.”
Ryan Sherstobitoff, threat researcher at McAfee, told SCMagazine.com on Thursday that each malicious binary is encrypted uniquely, which helps the trojan to evade detection.
“You would have to update your anti-virus setting every time to detect it,” Sherstobitoff said. “Any future variant should be detected using behavior-based anti-virus [solutions].”
Researchers at McAfee believe national and investment banks in the U.S. will be the major targets of Prinimalka fraudsters, with a small percentage being credit unions. The group's plan will likely be to continue on in their previous strategy: strike, then disappear until their next campaign unfolds.
“This could very well be a threat in 2013,” Sherstobitoff said.