Trojans & Exploit Kits

Exploit. Angler. Nuclear. Doesn’t matter what they’re called, they always deliver. I’ll try to track these here as they keep evolving, using links to sources with more detailed information.


Zeus Sphinx Trojan (Jan 2017)
Originally identified in Aug 2016 attacking Brazilian banks, the trojan died down. IBM X-Force recently identified new, targeted attacks against online users of banks and especially credit unions in Canada and Australia. In the article written by malware hunter Limor Kessem, these are “low-volume testing, not full-blown infection campaigns. The malware’s operators appear to be looking very carefully to determine which geographies offer the paths of least resistance.” According to X-FOrce, the attackers are using the same attack servers that facilitated the Zeus Citadel and Ramnit attacks in 2016. As well, the webinjections share similar code patterns with other banking Trojans.


Note how Credit Unions are the major target, as they apparently are low-hanging fruit from a security standpoint.

Switcher Android  Trojan (Dec 2016)
Per Kaspersky: “Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking).  Why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS. So, after gaining access to a router’s DNS settings one can control almost all the traffic in the network served by this router.”