Australian Banks Targeted By Hesperbot Malware

Australian banks and other large enterprises are being targeted by the banking trojan Hesperbot. According to ESET, who first detected Hesperbot in November 2013, this is putting at risk the financial information of millions of customers.

Robert Lipovsky, a Malware Researcher with Eset told us "It’s difficult to ascertain why they chose Australia specifically. From what we have seen, the Hesperbot gang has continually been expanding their operations to different regions. The threat was first observed in Turkey and Turkey remains to this day the most targeted country. The Czech Republic is the second most affected country. The Czech campaigns started in September 2013, when we started an active investigation of the botnets. At that time, the other targeted countries were Portugal and the U.K".

Hesperbot spreads via phishing emails and also attempts to infect mobile devices running Android, Symbian and BlackBerry. Detected as Win32/Spy. Hesperbot, the malware features keylogger capabilities, can create screenshots and video capture, and set up a remote proxy.

"As is the case with other botnets, the Hesperbot-infected-bot will establish a communication channel with its Command & Control server'" said Lipovsky. "Hesperbot binaries, specifically, contain several hard-coded C&C domains, and also include a domain-generation-algorithm which can generate 50 additional domains to contacts as a backup, in case the hard-coded ones aren’t responding. The domains and DGA change between variants".

The attackers aim to obtain log-in credentials that give them access to the customer‘s bank account, and attempt to lure users into installing a mobile component of the malware on their Symbian, BlackBerry or Android phone.

The trojan is able to update itself, execute new modules and receive configuration files. It can also exfiltrate data from the infected host. The data it targets includes login credentials intercepted by the form-grabber component, keylogger logs and a video consisting of captured screenshots of the login sequence to online banking.

Lipovsky says that targeted individuals are lured into installing the mobile component themselves through social engineering. The web-injection component will, based on the configuration file, modify specified online banking websites to include a fraudulent web form. This form gives instructions to install a new security module on the user’s smartphone that the bank has purportedly issued.

"In the Australian case, it’s called “NetCode Smartphone Security”. Of course, this is all false and installing this application leads to an infected smartzphone'" he said.

Robert Lipovsky, an ESET malware researcher who leads the team analysing this threat, says that Hesperbot has "similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known Trojan”.

ESET researchers have found over the past few weeks that Hesperbot activity has roughly doubled in comparison to the average number of detections from the previous weeks.
Australia is the third most affected country by Hesperbot, with Turkey and the Czech Republic claiming the unwanted crown as the most affected countries.


This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksbank accountsfinancialsymbianbanking TrojanHesperbotNetCode Smartphone SecuritybanksesetmalwareRobert LipovskyAndrioidBlackberry

More about BlackBerryCSOEnex TestLabEsetSymbian

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place