i2Ninja – A new financial malware being sold on Russian underground

Pierluigi Paganini November 22, 2013

Trusteer researchers have uncovered a sneaky piece of financial malware, known as i2Ninja, being sold on a Russian cyber crime forum.

A new financial malware dubbed i2Ninja menaces banking, despite it has yet to be discovered in the wild, researchers at the IBM company Trusteer have found a sneaky piece of the malicious code on the underground.

i2Ninja is being sold on a Russian cybercrime forum, the  underground provides at the ideal marketplace for buying and selling malicious code or to request their customization exploiting the sale model known as  malware-as-a-service. In the past financial malware such as Zeus, Spyeye,Carberp, Citadel and many others financial malware were proposed on black market forums allowing the authors to remain low profile.

i2Ninja is a peer-to-peer trojan that can be used by cyber criminals to steal credit card and other financial information, it presents the same features of the most popular financial malware. The i2Ninja malware takes its name from I2P, an anonymizing network similar to Tor.

“According to a post on the Russian cybercrime forum, i2Ninja offers a similar set of capabilities to the ones offered by other major financial malware: HTML injection and form grabbing for all major browsers (Internet Explorer, Firefox and Chrome), FTP grabber and a soon to be released VNC (Virtual Network Connection) module. In addition, the malware also provides a PokerGrabber module targeting major online poker sites and an email grabber.”

The infection process is the classic drive-by infection schema proposing to the victims fake advertisements and bogus links, but the malware could be used to infect specific targets through spear phishing campaign.

i2Ninja has different HTML injection capabilities and will soon provide a virtual network computing (VNC) module for remote control like other popular malware families.

“Once a VNC capable malware infects a device, the attacker’s options are almost limitless.” said Etay Maor, fraud prevention solutions manager at Trusteer.

Another interesting capability of i2Ninja is that It could be used also to target users of gaming websites like poker sites and grabbing email.

Maor sustains that the use of I2P is a winning choice, I2P is the “true Darknet” that offers better protection than Tor and makes more difficult to research and understand the malware’s infrastructure and capabilities, but the researcher also added that it is only a matter of time before the I2P encryption is broken like happened for Tor in the case of the exploiting of a Firefox vulnerability.

“Using the I2P network, i2Ninja can maintain secure communications between the infected devices and command and control server. Everything from delivering configuration updates to receiving stolen data and sending commands is done via the encrypted I2P channels. The i2Ninja malware also offers buyers a proxy for anonymous Internet browsing, promising complete online anonymity. “

It is not easy to predict the impact of i2Ninja on the banking but the malware seems to be in high demand.

“The cyber criminal offering the malware in the underground indicated he has enough business due to the malware’s underground publicity and indicated he cannot handle more requests to buy the malware,” “The cyber criminal who posted the information regarding i2Ninja is a known and credible forum member.” Maor said.

Below is a translation from Russian post of the ad for i2Ninja:


Last observation on the malware is related to the customer service offered by the authors,  i2Ninja provides an integrated help desk via a ticketing system within the malware’s command and control. A potential buyer can interact with support team always in an anonymous way via I2P.

“While some malware offerings have offered an interface with a support team in the past (Citadel and Neosploit to name two), i2Ninja’s 24/7 secure help desk channel is a first.”

Cybercriminal activities are growing at an alarming rate, the release of various malware source code and the sale of new malicious agents are evidence of the fertility of the underground.

Pierluigi Paganini

(Security Affairs – Financial malware, i2Ninja)

you might also like

leave a comment