Malware, Vulnerability Management

Sinowal data-stealing trojan has infected half million PCs

The Sinowal trojan, also known and Torpig and Mebroot, has infected more than 500,000 PCs worldwide, according to new information from the RSA Fraud Action Research Lab.

In a blog post on Friday, the lab detailed research findings about the 3-year-old trojan.

They are significant because of the length of the trojan's lifespan and the sheer enormity of the find, Sean Brady, product marketing manager, RSA, told SCMagazineUS.com.

“RSA has never found a repository like this to date,” Brady said.

Dating back as far as 2006, the trojan has captured more than half- million credentials and targeted more than 2,700 different financial service domains worldwide, Brady said.

The more than half-million credentials stolen are nearly split between login and credit card information. About 270,000 banking login credentials, equivalent to usernames and passwords, were stolen worldwide. And some 240,000 credit and debit card numbers and expiration dates were stolen as well, Brady said.

RSA said that originally the trojan had strong ties to the notorious Russian Business Network (RBN) but that appears to be no longer the case.

Brady would not reveal which financial institutions were targeted but said that most were large financial services firms in various locales. Accounts were compromised in North America, Europe, Poland, Spain, the Czech Republic, Germany, the Netherlands, Poland, Italy, the Asia-Pacific region and Latin America, he said.

The trojan is sophisticated and infects victims using drive-by download exploits. Simply visiting one of the vulnerable websites will execute the trojan. The trojan installs code into the PCs' Master Boot Record, making it difficult to detect and extract, Brady said.
 
When a user visits a domain coded as a trigger for the trojan, it executes, injecting HTML on the victim's PC. A new web page or information fields appear, asking the user to input personal information. The information request, such as for Social Security numbers, can be a giveaway, because most banks never just randomly request such data.

The RSA Anti-Fraud Command Center said it is notifying law enforcement and the affected financial institutions about the trojan.

Related

GitHub search exploited for malware distribution

Malware-laced GitHub repositories using popular names and topics are being advanced by threat actors through automated updates and fraudulent stars meant to manipulate the leading software developer platform's search rankings as part of a new open-source supply chain attack, The Hacker News reports.

Rhadamanthys infostealer deployed via AI-based PowerShell

Several organizations across Germany have been targeted by suspected initial access broker TA547, also known as Scully Spider, with attacks using a generative artificial intelligence-based PowerShell to deliver the Rhadamanthys information-stealing malware, reports BleepingComputer.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.