A new Trojan mainly composed of Node.js and native C++ code currently targets a few French online banking website. This Trojan, embedded in a bootkit from the Cidox/Rovnix family, fully qualifies as a banking malware; and more so by inheriting its search and code injects mechanisms from the infamous Zeus Trojan.
Its main characteristics are:
infects the VBR (Volume Boot Record) of the bootable NFTS partition
Its Node.JS and C++ payload as well as its associated configuration file, respectively 5.4Mo and 28Ko in size, are encrypted and stored within registry keys.
injects malicious code within Internet browsers as well as services.exe, csrss.exe, explorer.exe
Deploys furtive mechanism by hiding injections in a DLL and its VBS compromise
Wire its communications via WSS (WebSocket)
All French banks targeted by this attack, as noticed by CERT-LEXSI, have been alerted.
more here..............http://www.lexsi-leblog.com/cert-en/hey-brian-heya-homer-fancy-meeting-you-here-zeus-gootkit-2014-ad.html
Its main characteristics are:
infects the VBR (Volume Boot Record) of the bootable NFTS partition
Its Node.JS and C++ payload as well as its associated configuration file, respectively 5.4Mo and 28Ko in size, are encrypted and stored within registry keys.
injects malicious code within Internet browsers as well as services.exe, csrss.exe, explorer.exe
Deploys furtive mechanism by hiding injections in a DLL and its VBS compromise
Wire its communications via WSS (WebSocket)
All French banks targeted by this attack, as noticed by CERT-LEXSI, have been alerted.
more here..............http://www.lexsi-leblog.com/cert-en/hey-brian-heya-homer-fancy-meeting-you-here-zeus-gootkit-2014-ad.html