News

New, harder-to-detect Bugat malware used in LinkedIn attacks

Warwick Ashford

IT security researchers have warned of the emergence of a new, better-hidden version of the Bugat financial malware used to commit online fraud.

Bugat was distributed in the recent phishing campaign targeting LinkedIn users, which was generally considered to be trying to infect machines with the more common Zeus Trojan.

42184_Linkedin-logo.jpg

In the most recent attacks, LinkedIn users received e-mails reminding them of pending messages in their account and providing a link to a fraudulent website, where a Java applet fetched and installed the Bugat executable.

The new version of Bugat appears to be an attempt by criminals to diversity their attack tools using a platform that is less well known and therefore harder to detect and block, according to researchers at security firm Trusteer.

Like Zeus, Clampi and Gozi, Bugat targets Internet Explorer and Firefox browsers and harvests information during online banking sessions. The stolen credentials are then used to commit fraudulent transactions.

Criminals are stepping up their malware distribution efforts by continuously updating configurations of well known malware such as Zeus, and using new versions of less common Trojans like Bugat to avoid detection, said Mickey Boodaei, chief executive of Trusteer.

"We are in an arms race with criminals. Although Zeus gets a lot of attention from law enforcement, banks and the security industry, we need to be vigilant against new forms of financial malware like Bugat and SpyEye, which are just as deadly and quietly expanding their footprint across the internet," he said.

Trusteer researchers warn that the recent industry focus on Zeus is making it easier for other Trojans, such as Bugat, SpyEye and Carberp, which are less widespread but equally sophisticated, to avoid detection.

They expect these lesser known financial malware platforms to grow in popularity to eventually replace Zeus as the Trojan of choice.


 

COMMENTS powered by Disqus  //  Commenting policy