Bugat Trojan Discovered

The Zbot botnet that spreads the Zeus Trojan has been detected distributing a new banking Trojan — one that researchers say may serve as a lower-cost alternative for criminals than the popular Zeus and Clampi malware kits.

Zeus and Clampi Trojans have been focused on stealing financial credentials from bank customers.  The new Bugat Trojan discovered by SecureWorks appears to be aimed at business customers of large and midsize banks. It’s built for attacks on automated clearinghouse (ACH) and wire transfer transactions for check and payment processing.

Bugat shares some of the features of other banking Trojans, but it uses an SSL-encrypted command and control (C&C) infrastructure via HTTPS, and also seeks FTP and POP credentials.

  • Ability to grab forms from Internet Explorer and Firefox
  • Scrape or modify HTML for targeted sites
  • Steal FTP and POP credentials
  • Steals and deletes IE, Firefox, and Flash cookies
  • Allows browsing and uploading files from victim machines
  • Permits download and execution of code
  • SOCKS proxy server (v4 and v5)
  • Upload list of running processes
  • Can also delete system files and cause reboots, making Windows unbootable