Banking Trojan Hesperus spreads

Malware threatens banking and finance sectors

Tags: HID global (
  • E-Mail
Banking Trojan Hesperus spreads Vibin Shaju from McAfee says the current version of the Heperus Trojan could be a testing phase.
By  Georgina Enzer Published  November 6, 2013

Hesperus is a newly discovered banking malware that is used to steal information, mainly online banking credentials, from affected users. It is currently attacking users in Portugal, Turkey and the Czech Republic, according to McAfee. The main purpose of banking Trojans are not to attack the bank, but to always attack the customers of the bank.

“The functionality of this is probably similar to SpyEye and other banking Trojans. The initial Trojan is delivered to a user over email or through a website they visit, known as a watering hole attack, and once it is delivered to the user the code will inject itself into major processes like explorer.exe to make it more of a legitimate process,” said  Vibin Shaju, regional manager, Sales Engineering at McAfee.

Hesperus uses a valid SSL encrypted tunnel back to the command and control server where the attacker is hosting it, and because it is in an SSL tunnel it will make it harder to detect.

Once the communication is in place with the SSL to the CNC server, the Trojan downloads other malicious modules from the CNC server and they include keylogging, a screen recorder, and a smart card reader.

“The initial task is to establish the encrypted communication to the CNC server and then eventually download more stuff into the user machine,” said McAfee’s Shaju.

The Trojan is currently in place to steal  user credentials from some users of European banks, but this could be a testing phase for a bigger plot according to McAfee.

“If the customer does not have a bank account, unlike a normal banking Trojan, this one harvests log-in credentials to social media and other websites, so it can get the maximum presence out of the user computer rather than just looking for banking details., although it is primarily known as a banking Trojan,” said Shaju.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code