July 26, 2011 By Mickey Boodaei 3 min read

Research findings from IBM indicate that the number of financial institutions targeted by the SpyEye Trojan is growing. In parallel with this, our risk analysis teams have also observed an increase in the number of countries where financial institutions are being targeted by fraudsters using this Trojan.

Analyzing this malware’s command-and-control (C&C) centers, which the risk analysis team at IBM reviews every month, revealed that 60 percent of the SpyEye bots target financial institutions in the U.S. This is followed by the U.K. (53 percent), Canada (31 percent), Germany (29 percent) and Australia (20 percent).

Interestingly enough, the percentage of bots targeting Canadian banks more than doubled from 14 percent in May 2011 to 31 percent the following month.

Other destinations targeted by more than 10 percent of these bots include Italy, Ireland, UAE, Spain, Costa Rica, France, Turkey, India, Jordan, Russia and Portugal.

Meanwhile, SpyEye continues to expand its hit list. In May, it added targets in the Middle East to include Saudi Arabia, Bahrain and Oman. In June, financial institutions in Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru faced attacks. Russia is also a relatively new addition to the target list.

It is worth noting that the fraud patterns used here are somewhat different than those used by Zeus and other financial malware. Specifically, our risk analysis teams have observed new code being incorporated into the Trojan that is designed to evade transaction-monitoring systems.

Transaction-monitoring systems analyze various aspects of the customer’s session with the bank in order to detect abnormal behavior that may be attributed to malware activity.

These fraud developers appear to have figured out how these defenses operate and are now constantly trying to ensure their code activity flies under the radar of these threat protection and detection systems. The code seems to follow Agile software development practices: It is flexibly and simply coded, and new configurations are being rolled out as quickly as possible by its developers.

At certain times, we have even seen two new versions of the malware released every week. There is a large difference between a new version and a simple variant of financial malware. A new version means that the program code itself has been modified, whereas a new variant is just new packing around the same code.

Some of the changes that our risk analysis teams are seeing include very significant improvements to the malware’s core technology. The author’s ability to rapidly react and improve the software should be a major concern to anyone who already is — or who may be — on SpyEye’s target list.

SpyEye and Its Rapid Rise to Prominence

Although it seems much older, this malware toolkit surfaced less than two years ago in December 2009. Over the last 18 months, it has made several headlines, especially when it was revealed that the development team behind the malware was effectively merging it with that of the older Zeus code.

From the very beginning, SpyEye has been a highly aggressive Trojan. Interestingly, early versions of the malware included a feature to remove Zeus from an infected host machine.

This feature was, of course, in place to ensure that this is the only financial malware on the infected computer. We have covered SpyEye a few times before in our blog. Therefore, the evolution of the malware toolkit is not surprising.

Overall, financial institutions should monitor development in the SpyEye toolkit, paying close attention to its attack vectors that target their brand as well as new attacks that target other financial institutions.

The intelligence from this process should be included in the financial institution’s security controls, such as anomaly detection and endpoint protection. The ability to react quickly to SpyEye’s changes in pattern is key to an effective fraud prevention architecture.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today