Banking trojan used in a second round attack against Bundestag

Security researchers at the GData security firm discovered a second stage of the cyber attack on the German Bundestag that exploited a banking trojan to steal data.

In the last weeks, I have reported the various news related to the cyber attack against the Bundestag and a possible involvement of Russian state-sponsored hackers. The media reported that hackers used a sophisticated malware difficult to eradicate from more than 20,000 computers belonging to the German Bundestag.

Security experts at security firm GData spotted a second round of the cyber attack on the German parliament Bundestag, the attackers used a variant of the online banking trojan Swatbanker.

The Swatbanker is a data stealer malware that gathers various kinds of data from the infected machine, including data entered by users into forms and list of last web sites visited by the victims.

The researchers discovered that the operators behind the Swatbanker botnet have integrated new filter functions for the domain “Bundestag.btg,”which is the address of the German parliament’s intranet, between 8 and 10 June 2015.

“At the current time it is unclear whether this is a new, criminally motivated attack or a continuation of the attacks that came to light at the end of May 2015. The G DATA analyses show that new variants of the online banking Trojan Swatbanker have been used. Investigation of the configuration files embedded in the malware has shown that the operators of the Swatbanker botnet integrated new filter functions for the domain “Bundestag.btg” between 8 and 10 June 2015. This is the address for the Bundestag’s intranet.” states the Blog post published by GDATA.

The experts have no evidence that this new wave of attack is linked to the previous one or that it is conducted by a criminally motivated group.

“According to initial analyses, we can assume this is a criminally motivated attack. However, it must also be said that it might be an extension of an existing attack that is simply disguising itself as an “eCrime” copycat.” said Ralf Benzmüller, head of G DATA Security Labs.

“Such data can then be used to attack the relevant server directly,” assesses Ralf Benzmüller.

GData published a technical report related to the last discovery related about the attacks on the German Federal Parliament (Bundestag).

Pierluigi Paganini

(Security Affairs –  State Sponsored hacking, Bundestag)