Bolek is a new banking trojan which has arised from the leaked source code of Carberp and Zeus banking trojans. The developers of malware have combined their codes to create a brand new threat which is currently targeting the Russian banks customers
Security researchers from CERT Poland noticed the new trojan first in May, when they investigated a phishing campaign originating from their country, noticing a slight resemblance between Bolek and the KBot module of Carberp. A couple of days later, security experts from PhishMe expanded CERT-PL’s findings with a comprehensive report on Bolek’s mode of operation, also pointing out the visible similarities between Bolek and Carberp.
Later on, there were more reports on the virus combo. The first one came from the Russian antivirus maker Dr.Web, and the second was from Arbor Networks, both at the start of June. Unlike the Arbor report, which focused on Bolek’s C&C server communications, the report by Dr.Web included a breakdown of the trojan’s mode of operation, together with similarities between Bolek, Carberp, as well as the ancient Zeus banking trojan.
According to Dr.Web, the trojan is fully equipped for the banking ecosystem nowadays. Bolek is able to steal login credentials from online banking applications by injecting itself into a Web browser’s process, can take screenshots of the user’s screen, can intercept Web traffic, can log keystrokes, or can create a local proxy server in order to transfer files out of the infected machine.
Bolek targets Microsoft Internet Explorer, Google Chrome, Opera, and Mozilla Firefox browsers, and comes with an embedded version of the Mimikatz, a known password dumping application. The part which Bolek borrowed from Carberp includes a custom virtual file system, used by the trojan for storing various files needed for its operation, in order to hide them from security software.
From Zeus, Bolek borrowed its powerful Web injection mechanism that allows it to tap into browser processes and take over the entire Web page when the user visits an online banking portal. The trojan is also capable of infecting both 32-bit and 64-bit Windows machines, and when instructed, it can open a reverse connection to the attacker via RDP (Remote Desktop Protocol).
Despite all the deadly features, this was not the most interesting feature highlighted by Dr.Web researchers. After infecting a target, Bolek’s masters can send a command to the trojan and activate a worm-like self-spreading mechanism. This feature allows the trojan to spread to other files on the same filesystem or USB drives.
Besides, Bolek has the ability to taint Windows 32-bit or 64-bit executables, which, if moved to other computers, can help the trojan spread to other targets.
“The main purpose of Trojan.Bolik.1 is to steal confidential information,” Dr.Web researchers stated. “[The] functions and architecture of Trojan.Bolik.1 are very sophisticated, which makes it really dangerous for Windows users.“