The Trojan, dubbed "Bugat," targets Automated Clearing House (ACH) and wire transfer transactions by small- and mid-sized business in the U.S., much like the virulent Clampi Trojan that has stolen tens of millions of dollars.
According to SecureWorks researcher Jason Milletary, the Bugat Trojan includes features commonly found in malware used to commit credential theft for financial fraud.
- Internet Explorer (IE) and Firefox form grabbing
- Scrape or modify HTML for targeted sites
- Steal and delete IE, Firefox, and Flash cookies
- Steal FTP and POP credentials
- SOCKS proxy server (v4 and v5)
- Browse and upload files from the infected computer
- Download and execute programs
- Upload list of running processes
- Delete system files and reboot computer to render Windows unable to boot
The Trojan communicates with a remote command and control web server to receive commands and to exfiltrate stolen information.
As part of this process, the malware also receives a list of URL target strings used to monitor the victim’s web browser activity. These target strings indicate a strong interest in websites used for business banking and wire transfers. Bugat may also use HTTPS in an attempt to secure its command and control communications.
For more information on these types of attacks, see reporting by Brian Krebs on the WaPo SecurityFix blog.