Banking trojan used in a second round attack against Bundestag

Security researchers at the GData security firm discovered a second stage of the cyber attack on the German Bundestag that exploited a banking trojan to steal data.

In the last weeks, I have reported the various news related to the cyber attack against the Bundestag and a possible involvement of Russian state-sponsored hackers. The media reported that hackers used a sophisticated malware difficult to eradicate from more than 20,000 computers belonging to the German Bundestag.

Security experts at security firm GData spotted a second round of the cyber attack on the German parliament Bundestag, the attackers used a variant of the online banking trojan Swatbanker.

The Swatbanker is a data stealer malware that gathers various kinds of data from the infected machine, including data entered by users into forms and list of last web sites visited by the victims.

The researchers discovered that the operators behind the Swatbanker botnet have integrated new filter functions for the domain “Bundestag.btg,”which is the address of the German parliament’s intranet, between 8 and 10 June 2015.

Bundestag 2Bundestag 2

“At the current time it is unclear whether this is a new, criminally motivated attack or a continuation of the attacks that came to light at the end of May 2015. The G DATA analyses show that new variants of the online banking Trojan Swatbanker have been used. Investigation of the configuration files embedded in the malware has shown that the operators of the Swatbanker botnet integrated new filter functions for the domain “Bundestag.btg” between 8 and 10 June 2015. This is the address for the Bundestag’s intranet.” states the Blog post published by GDATA.

The experts have no evidence that this new wave of attack is linked to the previous one or that it is conducted by a criminally motivated group.

“According to initial analyses, we can assume this is a criminally motivated attack. However, it must also be said that it might be an extension of an existing attack that is simply disguising itself as an “eCrime” copycat.” said Ralf Benzmüller, head of G DATA Security Labs.

“Such data can then be used to attack the relevant server directly,” assesses Ralf Benzmüller.

GData published a technical report related to the last discovery related about the attacks on the German Federal Parliament (Bundestag).

Pierluigi Paganini

(Security Affairs –  State Sponsored hacking, Bundestag)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Palo Alto Networks fixed multiple privilege escalation flaws

Palo Alto Networks addressed multiple vulnerabilities and included the latest Chrome patches in its solutions.…

15 hours ago

Unusual toolset used in recent Fog Ransomware attack

Fog ransomware operators used in a May 2025 attack unusual pentesting and monitoring tools, Symantec…

18 hours ago

Paraguay Suffered Data Breach: 7.4 Million Citizen Records Leaked on Dark Web

Resecurity researchers found 7.4 million records containing personally identifiable information (PII) of Paraguay citizens on…

1 day ago

Apple confirmed that Messages app flaw was actively exploited in the wild<gwmw style="display: none; background-color: transparent;"></gwmw>

Apple confirmed that a security flaw in its Messages app was actively exploited in the…

2 days ago

Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer

Trend Micro fixed multiple vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer…

2 days ago