Scylex malware Kit offered for sale in the criminal underground

Experts from Heimdal security firm discovered a new crimeware kit, the Scylex malware kit, that aims to provide Zeus-grade Capabilities.

Security experts from the Heimdal security firm have discovered a new DIY financial crime kit offered for sale on a notorious malicious hacker forum on the dark web called Lampeduza.

The new crime kit, dubbed Scylex malware kit, allows cyber criminals to roll their own ZeuS-like malware. The malware implements the features of common banking trojan, such as stealing online banking passwords, intercept web traffic and of course establish a backdoor on the infected Windows-based machine.

Experts form Heimdal security speculate that crook are trying to replicate the success of the infamous Zeus GameOver threat. Below the statement used by the creators of the Scylex malware kit to advertise their tool:

“The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.”

The authors are offering the Scylex malware kit for $7,500+ on the Lampeduza dark web forum, the same forum where card details of the 2014 Target data breach were recently offered for sale.

For an additional $2,000, the buyer can receive the SOCKS5 (Socket Secure) support, which enables attackers to manipulate data transfers between a user’s PC and a specific server through a proxy.

The authors are also offering a “premium” package of the Scylex malware kit that costs $10,000 and includes a HVNC (Hidden Virtual Network Computing) module.

“Hidden VNC is probably one of the most complicated malware features to code and essentially requires coders to implement their own window manager, which is why there are very few unique implementations in the wild (most malware uses a single implementation unimaginatively named HVNC).” states the advertising.

The ad includes a video demo that shows the malware in action, the authors plan to introduce new features such as a DDoS module.

“The cyber criminals behind Scylex also claim that they’re working on adding new elements to the brand-new financial malware. Here’s their “roadmap”:

Form grabber + Injects support on Microsoft Edge & Opera
Spreader (Social networks, PE Infection, Device propagation)
Reverse FTP (Silent file system ex-filtration) with backconnect
ATS-Engine (to-be integrated into web-injects), we will write our own
DDoS module (aimed for max efficiency/output like specific ddos bot)
Click Bot (CPM/PPC).

Heimdal Security published the full ad, in a blog post.

Is the Scylex Financial Crime Kit a real threat?

“So far, Scylex hasn’t been spotted in the wild, so the claims made in the advertisement posted on Lampeduza forum can’t be verified at the moment. However, both the video and the detailed description of what this new financial malware can do are strong evidence that the crime kit may indeed be real.” states the post published by Heimdal security.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Scylex malware kit, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.