Malware operations come and go, and typically attackers are playing a numbers game by pursuing techniques for system infections on a large scale through spam campaigns and drive-by attacks via malicious websites. More insidious still are those that employ smaller scale, more targeted attacks. That seems to be the case with the Trojan.Stabuniq, which researchers have noted has not proliferated at at a high rate over the last year since its discovery, but has been seen to be focused on compromising systems in a fairly localized region in North America and appears to be specifically targeting banks, credit unions, and other financial institutions.
Trojan.Stabuniq uses a combination of sophisticated exploit kit tools in conjunction with a limited number of spam email phishing attacks which leads researchers at security provider Symantec to believe the malware is being employed in a stealthy campaign aimed at positioning the attackers for a widespread breach of the financial sector.
According to the analysis, the distribution infections by Trojan.Stabuniq shows that about half of the systems belong to individual private users, which is of little surprise. The researchers also noted that a little over ten percent of the unique IP addresses associated with the malware belong to security companies, ostensibly those who are also studying and monitoring the malware's activity - again, no surprise.
What does alarm the researchers is that a "staggering" 39% of the compromised systems belong to financial institutions, and the concentration of these infections is localized mainly in the north east region of the U.S.
"These financial institutions had their outer perimeter breached as the Trojan has been found on mail servers, firewalls, proxy servers, and gateways," the researchers stated. "The Trojan collects information from the compromised computer and then sends it to a command-and-control (C&C) server."
Specifically, the malware collects information regarding:
- Architecture type
- Computer name
- File name of the threat
- IP address
- Operating system version
- Operating system service pack version, if installed
- Running processes
Trojan.Stabuniq is designed to compromise systems running Windows 2000, Windows NT, and Windows XP, and once the malicious code is detected, it has proved relatively easy to remove. What puzzles the researchers is exactly what the endgame may be for the malware's designers.
"Overall, this Trojan has not infected many machines in the past year, is localized to the United States, and—given that close to 40 percent of its targets are financial institutions—at this stage we believe the malware authors may simply be gathering information," the researchers noted.
But gathering information for what? A massive identity theft operation? A wave of fraudulent fund transfers? A coordinated strike against the systems that govern the financial infrastructure of the nation?
At this point it is anyone's guess, but the time and effort involved in such a targeted campaign is indicative of what may be only the first stage in a larger operation that could pose a significant threat to the financial sector, consumers, and the economy on the whole if the functionalities of the malware were altered from mere data harvesting to something more perilous. Stay tuned.