Scylex malware Kit offered for sale in the criminal underground

Pierluigi Paganini August 13, 2016

Experts from Heimdal security firm discovered a new crimeware kit, the Scylex malware kit, that aims to provide Zeus-grade Capabilities.

Security experts from the Heimdal security firm have discovered a new DIY financial crime kit offered for sale on a notorious malicious hacker forum on the dark web called Lampeduza.

The new crime kit, dubbed Scylex malware kit, allows cyber criminals to roll their own ZeuS-like malware. The malware implements the features of common banking trojan, such as stealing online banking passwords, intercept web traffic and of course establish a backdoor on the infected Windows-based machine.

Experts form Heimdal security speculate that crook are trying to replicate the success of the infamous Zeus GameOver threat. Below the statement used by the creators of the Scylex malware kit to advertise their tool:

“The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.”

The authors are offering the Scylex malware kit for $7,500+ on the Lampeduza dark web forum, the same forum where card details of the 2014 Target data breach were recently offered for sale.

For an additional $2,000, the buyer can receive the SOCKS5 (Socket Secure) support, which enables attackers to manipulate data transfers between a user’s PC and a specific server through a proxy.

The authors are also offering a “premium” package of the Scylex malware kit that costs $10,000 and includes a HVNC (Hidden Virtual Network Computing) module.

“Hidden VNC is probably one of the most complicated malware features to code and essentially requires coders to implement their own window manager, which is why there are very few unique implementations in the wild (most malware uses a single implementation unimaginatively named HVNC).” states the advertising.

Scylex malware kit

The ad includes a video demo that shows the malware in action, the authors plan to introduce new features such as a DDoS module.

The cyber criminals behind Scylex also claim that they’re working on adding new elements to the brand-new financial malware. Here’s their “roadmap”:

  • Form grabber + Injects support on Microsoft Edge & Opera
  • Spreader (Social networks, PE Infection, Device propagation)
  • Reverse FTP (Silent file system ex-filtration) with backconnect
  • ATS-Engine (to-be integrated into web-injects), we will write our own
  • DDoS module (aimed for max efficiency/output like specific ddos bot)
  • Click Bot (CPM/PPC).

Heimdal Security published the full ad, in a blog post.

Is the Scylex Financial Crime Kit a real threat?

“So far, Scylex hasn’t been spotted in the wild, so the claims made in the advertisement posted on Lampeduza forum can’t be verified at the moment. However, both the video and the detailed description of what this new financial malware can do are strong evidence that the crime kit may indeed be real.” states the post published by Heimdal security.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Scylex malware kit, cybercrime)

you might also like

leave a comment