new mutation of yaludle/silentbanker rootkit in the wild

We were analyzing an interesting piece of malware today which is a recent mutation of the yaludle/silentbanker trojan with rootkit capabilities.

This rootkit is typically installed via drive-by downloads.

It targets financial institutions worldwide (with a focus on US, Germany, Spain, Australia) and as the silentbanker versions before, it can successfully cicrumvent Two-Factor-Authentication, which is why quite a few banks with 2FA solutions are targeted.

The trojan operates in two modes:

  1. completely silent (this is typically for banks with just username/password) and just “uploads” the collected information in real-time in an encrypted way to a malicious host
  2. it introduces dynamically (in real-time) malicious HTML elements into the banks website to collect additional information. This malicious HTML elements appear within the bank’s site, so nobody (not even security experts) can spot anything suspicious.

As we would have expected, virtually no Antivirus Engines were detecting this Rootkit (1/36, 2.78%, http://www.virustotal.com/analisis/756098da62febc1ae372f947e2b62184)

This is the original citibank site when someone tries to login with a wrong username/password (so no yaludle/silentbanker here) (click the image for bigger picture)

 

This is the citibank site in exactly the same scenario, this time yaludle/silentbanker is active. (Note the yellow padlock and the correct URL!!!) (click the image for bigger picture)

How to detect this Rootkit

This rootkit creates the following registry key and thus can be detected if this key is present

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionDrivers32
wave1 = "<RANDOM>1.CPX"

Also the <RANDOM>1.CPX file is present in the C:WINDOWSSYSTEMS32 directory.

TrustDefender

All TrustDefender users (most notably all of our enterprise customers) are protected as TrustDefender’s Secure Lockdown will make sure that no personal information will leave the computer as it will only allow internet requests to the banks website.

Also all TrustDefender users are also protected for all banks who are part of our Financial Trust Network (see http://www.trustdefender.com/lang-en/support-portal/knowledge-base/knowledge-base-article?id=50120000000DB0q)

more information

please contact us at support@trustdefender.com if you want to know if your financial institution is affected or you need more information.

4 thoughts on “new mutation of yaludle/silentbanker rootkit in the wild”

  1. @anonymous: well, the problem is that the trojan controls the session and the content you are seeing is NOT from the bank. So in this sense a mutual https authentication does not help much as the form where the confidential information is lost, is not the real deal.

  2. Hello, I was looking around for a while searching for rootkit and I happened upon this site and your post regarding new mutation of yaludle/silentbanker rootkit in the wild, I will definitely this to my rootkit bookmarks!

  3. The link to the Knowledge base article does not work. Bank said I was infected with Yaludle virus. Everything I checked said that I was not. Virus scans by several companies found nothing. Rootkit scans found nothing. Searched for registry keys mentioned in this article and nothing found.
    I think it was a false positive that caused a lot of work for nothing.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>