Middle Income Malware Actors in Poland: VBKlip and Beyond
In the past year we have closely observed a new malware family attacking Polish online banking users. It utilized a simple observation: users tend not to check whether the text they copied is the one they pasted. Especially when that text is a 26-digit bank account number. This malware started as a simple Visual Basic 6 application and then evolved to a more complex banking malware. While it still has a long way to go to become next ZeuS or Citadel, it does impact users and we are still getting signals that this is a problem.
This novel way to infect users was also attractive for copycats – aspiring malware authors, which were building small applications based on the same idea. These applications were at first not detected by any of the antivirus solutions according to the VirusTotal service. It can be attributed to the absence of network traffic or registry presence.
While these examples may not be a mainstream banking malware, they provide some insight to what new and upcoming low-end banking trojans may do. What is also interesting is how this malware authors evolve – what are they tactics and what are they looking for. It also sheds some light on what can still be done using a small (or even none) budget.