Hesperbot, the new powerful banking trojan found by ESET

Hesperbot is the name of a new banking trojan detected by ESET, it is a very potent malware which includes some very advanced tricks.

Hesperbot is the name of the last banking trojan detected by security firm ESET, a malware that due its effectiveness could create serious problems to banks and financial institutions.

Just yesterday I wrote about the evolution of cyber threats targeting online banking services, Hesperbot (Win32/Spy.Hesperbot) is specifically designed to elude mobile multi-factor authentication processes based on mobile devices.

Security researchers revealed that the Hesperbot trojan hit prevalently users located in UK, Turkey, the Czech Republic and Portugal, the malicious code emulates the behaviors of most popular predecessors Zeus and Spy Eye.

“Analysis of the threat revealed that we were dealing with a banking trojan, with similar functionality and identical goals to the infamous Zeus and SpyEye, but significant implementation differences indicated that this is a new malware family, not a variant of a previously known trojan.”

The first instances of the malware were detected in the Czech Republic, the cyber criminals used phishing emails to spread the Hesperbot trojan, the messages impersonate the country’s postal service to deceive victims.

Singular the revelation of ESET on the variant discovered in the UK for which the malware authors have created a specific code, the security firm hasn’t provided further detail on it probably because the investigation is still ongoing. The following graph represents the detection statistics of Win32/Spy.Hesperbot according to ESET LiveGrid:

 

Hesperbot has the same characteristics of well-known banking malware, it is able to grab victim’s video creating screenshots and video capture, is set up a remote proxy for the attackers and has a keystroke logging feature.

The malicious code is used by cybercriminals to steal banking credentials, exactly as seen for other malware the attack includes the impairment of the victim’s mobile.

Hesperbot is able to compromise Android, Symbian and Blackberry mobile OSs, one of the most interesting features implemented by the authors is the capability to create a VNC server on the victim’s system and is able to intercept network traffic using HTML injection techniques.

The trojan also harvests email addresses from the victims and send them to C&C server, the email addresses could be used to expand infection or to arrange further malware based attacks.

Hesperbot is considered by ESET experts a very potent banking trojan which features common functionalities and also includes some more advanced tricks … banks must follow its evolution with maximum attention.

Pierluigi Paganini

(Security Affairs – Hesperbot , banking, cybercrime)