Research into the URLZone banking Trojan has found sophisticated code designed to root out machines run by researchers.
The cybercriminals behind the URLZone banking Trojan, have upped the ante in the cat-and-mouse game white hat security researchers are playing as they target and try to shut down black hat malware coders.
The URLZone banking Trojan has been highly successful malware. Like other bank Trojans it dupes bank account holders into giving up their credentials and transferring gobs of money into overseas accounts held by cybercriminals by pushing out “mule” account information with bogus account balances.
But security researchers had been hot on their trail, shutting down fraudulent accounts and notifying banks of the Trojan’s spread. Knowing that their fraudulent accounts were close to being shut down, the cybercriminals designed server-side-code that prevents the extraction of the gang’s genuine mule accounts, according to the RSA FraudAction Research Lab.
In a blog posting Monday, researchers at RSA described a sophisticated coding technique designed by black hat coders to root out security researchers and send them onto a wild goose chase. The goal is to keep researchers off the money trail so the operation can continue to harvest gobs of money.
Instead of displaying the details of URLZone’s genuine mule accounts, this piece of code delivers the details of more than 400 (and counting) legitimate accounts that do not belong to the gang’s mules. The code is clearly URLZone’s most unique attribute, and speaks to its operators’ caution against having their criminal pipelines compromised.
The RSA researchers go on to describe how the coding works. For now the list of genuine accounts — designed to trick the researchers — is growing. But as we’ve seen before, once researchers get a handle on the tricks being used by cybercriminals to avoid detection, the cybercriminals turn to a new method. And the cat and mouse game continues.