‘Big Bong’ and Corebot among new banking Trojans

Following the cybersecurity alerts issued earlier this week by Kaspersky Lab, US software company Arbor Networks has released has released two new threat intelligence reports detailing a trojan being used to target South Korean banks and a separate banking Trojan believed to be similar to Zeus, Neverquest and Dyreza.

“With financial institutions underpinning whole economies, they’re a particularly choice target vertical for impactful attack,” the company notes.

“Just recently we have seen an attacks on HSBC, Invest Bank and of course, JP Morgan. This has prompted the UK and US governments to carry out “war games” to test the financial services sector’s resistance to a cyberattack.”

Arbor’s security engineering and response team, aka ASERT, reports that South Korean banking websites require the use of a Novell Public Key Infrastructure (NPKI) authentication certificate, and it is this that the Trojan targets. Using this encrypted data the threat actor uses a fake banking site to secure further details, which can then be used to transfer money.

The team has dubbed the banker ‘Big Bong’ and its threat intelligence report, entitled ‘The Big Bong Theory: Conjectures on a Korean Banking Trojan’ offers an in-depth behavioural analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and virtual private network (VPN)-based communications.

South Korea is not the only country being targeted. The ASERT team has also studied the Corebot banking Trojan. Initially discovered and documented last year by researchers at Security Intelligence, it has since evolved rapidly and, in terms of capabilities such as browser-based web injections, become similar to dominant banking malware such as Zeus, Neverquest and Dyreza – although its impact has so far been much more limited.

However, despite its relative newness, Arbor’s ASERT team predicts “the threat posed by Corebot will increase over the next year or so, perhaps following the same track as those malware families that have gone before it” because it is of such a high calibre. You can find further details here:

ASERT began studying and monitoring Corebot shortly after it was initially documented. An in-depth analysis of Corebot’s inner workings are provided in a threat intelligence report entitled ‘Dumping Core: Analytical Findings on Trojan Corebot’ including coverage of its cryptography, network behaviour and banking targets.


Related reading