Research findings from IBM indicate that the number of financial institutions targeted by the SpyEye Trojan is growing. In parallel with this, our risk analysis teams have also observed an increase in the number of countries where financial institutions are being targeted by fraudsters using this Trojan.

Analyzing this malware’s command-and-control (C&C) centers, which the risk analysis team at IBM reviews every month, revealed that 60 percent of the SpyEye bots target financial institutions in the U.S. This is followed by the U.K. (53 percent), Canada (31 percent), Germany (29 percent) and Australia (20 percent).

Interestingly enough, the percentage of bots targeting Canadian banks more than doubled from 14 percent in May 2011 to 31 percent the following month.

Other destinations targeted by more than 10 percent of these bots include Italy, Ireland, UAE, Spain, Costa Rica, France, Turkey, India, Jordan, Russia and Portugal.

Meanwhile, SpyEye continues to expand its hit list. In May, it added targets in the Middle East to include Saudi Arabia, Bahrain and Oman. In June, financial institutions in Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru faced attacks. Russia is also a relatively new addition to the target list.

It is worth noting that the fraud patterns used here are somewhat different than those used by Zeus and other financial malware. Specifically, our risk analysis teams have observed new code being incorporated into the Trojan that is designed to evade transaction-monitoring systems.

Transaction-monitoring systems analyze various aspects of the customer’s session with the bank in order to detect abnormal behavior that may be attributed to malware activity.

These fraud developers appear to have figured out how these defenses operate and are now constantly trying to ensure their code activity flies under the radar of these threat protection and detection systems. The code seems to follow Agile software development practices: It is flexibly and simply coded, and new configurations are being rolled out as quickly as possible by its developers.

At certain times, we have even seen two new versions of the malware released every week. There is a large difference between a new version and a simple variant of financial malware. A new version means that the program code itself has been modified, whereas a new variant is just new packing around the same code.

Some of the changes that our risk analysis teams are seeing include very significant improvements to the malware’s core technology. The author’s ability to rapidly react and improve the software should be a major concern to anyone who already is — or who may be — on SpyEye’s target list.

SpyEye and Its Rapid Rise to Prominence

Although it seems much older, this malware toolkit surfaced less than two years ago in December 2009. Over the last 18 months, it has made several headlines, especially when it was revealed that the development team behind the malware was effectively merging it with that of the older Zeus code.

From the very beginning, SpyEye has been a highly aggressive Trojan. Interestingly, early versions of the malware included a feature to remove Zeus from an infected host machine.

This feature was, of course, in place to ensure that this is the only financial malware on the infected computer. We have covered SpyEye a few times before in our blog. Therefore, the evolution of the malware toolkit is not surprising.

Overall, financial institutions should monitor development in the SpyEye toolkit, paying close attention to its attack vectors that target their brand as well as new attacks that target other financial institutions.

The intelligence from this process should be included in the financial institution’s security controls, such as anomaly detection and endpoint protection. The ability to react quickly to SpyEye’s changes in pattern is key to an effective fraud prevention architecture.

More from Malware

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…