F R A U D R E P O R TBUGAT TROJAN JOINSTHE MOBILE REVOLUTIONJune 2013RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat’sdevelopers managed to develop and deploy mobile malware designed to hijackout-of-band authentication codes sent to bank customers via text messages.Bugat (aka: Cridex) was discovered and sampled in the wild as early as August 2010.This privately-owned crimeware’s earlier targets were business and corporate accounts,its operators attempting high-value transactions ($100K-$200K USD per day) in bothautomated and manual fraud schemes. It is very likely that Bugat’s operators startedseeing a diminished ability to target high-value accounts due to added authenticationchallenges, forcing them to resort to developing a malware component that is alreadyused by many mainstream banking Trojans in the wild.BITMO: A LITTLE LATE IN THE GAME?In somewhat tardy fashion, Bugat joins the lineup of banking malware that makes use ofSMS capturing mobiles apps. The first occurrences of such malware were observed in useby Zeus and SpyEye Trojan variants, which were respectively dubbed ZitMo and SPitMo(Zeus-in-the-Mobile, SpyEye-in-the-Mobile). In mid-2012, RSA coined the name CitMo todenote the Citadel breed of in-the-Mobile activity. The fourth Trojan for which maliciousapps were discovered was Carberp in early 2013, and with this case, Bugat is the mostrecent banking Trojan to have its own SMS-forwarding app, now coined BitMo.WEB INJECTIONS PAVE THE ROADAmong other banking Trojan features, Bugat comes with a set of HTML injections foronline banking fraud and possesses Man-in-the-Browser script functionality. This veryfeature is what allows it to interact with victims in real time and lead them to download
page 2the BitMo mobile malware to their Android/BlackBerry/Symbian devices. iOs remainsalmost entirely exempt from this type of malware since the Apple policy limits appdownloads from third party sites.Bugat’s operators are not doing anything novel. Much as observed in the case of Citadel-in-the-Mobile (which emerged in May 2012), the malware’s developers created classicweb injections, albeit very visually-appealing, designed to show up on the client-sideand communicate social engineering messages to the victim.When Bugat-infected online banking customers access their financial provider’s loginpage, the Trojan is triggered to dynamically pull a relevant set of injections from theremote server, displays them to the victim and leads them to the BitMo download underthe guise of AES encryption being adopted by the bank.The malware requests application permissions linked with the SMS relay, while the nextinjection on the PC side requests that the victim enter a code appearing on the mobiledevice – connecting the infected PC and the mobile handset. Once installed anddeployed BitMo begins hijacking and concealing incoming text messages from thebank, disabling the phones’ audio alerts, and forwarding the relevant messages to itsoperators’ drop zones. Bugat’s entrance to the mobile space only demonstrates theincreasing use of SMS-forwarders as part of Trojan-facilitated fraud.IN-THE-MOBILE MALWARE EVERYWHEREAlthough the injection set created by Bugat’s developers, as well as the distributionmechanism designed for delivering APKs/BlackBerry OS BitMo apps are indeedsophisticated, the actual malware apps are rather basic and show no innovation.That being said, it is very clear that all banking Trojans, both commercial and privatelyoperated codes, are increasingly making use of SMS-forwarders in their criminaloperation.
page 3Phishing Attacks per MonthRSA identified 36,966 phishing attackslaunched worldwide in May, marking a37% increase in attack volume. Trendingdata shows that a rise in phishing attackstypically occurs in Q2.Number of Brands AttackedIn May, 351 brands were targeted inphishing attacks, marking a 13% increase.Two new entities suffered their first attackin May.0100002000030000400005000060000Source:RSAAnti-FraudCommandCenter3787851906594064948835440337684183429581 3015127463243472690236966May12Jun12Jul12Aug12Sep12Oct12Nov12Dec12Jan13Feb13Mar13Apr13May13050100150200250300350400Source:RSAAnti-FraudCommandCenter298259242290314269284257291257 260311351May12Jun12Jul12Aug12Sep12Oct12Nov12Dec12Jan13Feb13Mar13Apr13May13
page 4Top Countries by Attack VolumeThe U.S. remained the country mosttargeted by phishing in May, absorbing50% of the total phishing volume. The UKheld steady, once again recording 11%of attack volume. South Africa, theNetherlands, Canada, Australia, andIndia accounted for about one-quarterof attack volume.UKGermanyChinaCanadaSouth KoreaAustraliaaUnited Kingdom 11%U.S. 50%India 4%South Africa 5%Canada 5%Australia 5%Netherlands 5%50 Other Countries 15%US Bank Types AttackedU.S. nationwide banks maintained thehighest volume of phishing in May whileregional banks saw a 7% increase inphishing volume, from 12% to 19%. SinceFebruary, the attack volumes targetingregional banks and credit unions havefluctuated quite a bit.020406080100Source:RSAAnti-FraudCommandCenter20% 10% 11% 11% 9% 9% 12% 6% 15% 8% 17% 15% 8%18%12%15% 15% 14% 14%9% 15%15% 23% 23% 12% 19%62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60% 73% 73%May12Jun12Jul12Aug12Sep12Oct12Nov12Dec12Jan13Feb13Mar13Apr13May13
page 5BIndiaNetherlandsCanadaItalyChinaS AfricaUSTop Countries by Attacked BrandsU.S. brands remained the most targetedby phishing among worldwide brands,absorbing 30% of phishing volume in May.UK brands were targeted by one-tenth ofphishing volume followed by India, Chinaand Brazil.Top Hosting CountriesThe U.S. remained the top hosting countryin May, hosting 47% of global phishingattacks. Germany was the second tophosting country with 8% of attacks hostedwithin the country, followed by the UK, theNetherlands, France, and Canada.U.S. 47%61 Other Countries 30%Germany 8%Canada 3%France 3%Netherlands 4%United Kingdom 5%BraIndiaNetherlandsCanadaItalyChinaS AfricaUSaUnited Kingdom 9%50 Other Countries 39%U.S. 30%Brazil 4%Canada 4%China 4%India 6%France 4%