Bankeiya Info-Stealer Trojan Used in Attacks Against Japanese Users

Location of computers connecting to Bankeiya C&C servers

Symantec experts have been monitoring the threat landscape in Japan. The country has witnessed a surge in malware designed to steal sensitive information over the past couple of years.

For instance, the number of incidents involving bank accounts increased to 1,315 in 2013, from 64 in the previous year. People have reported losing 1.4 billion yen ($14 million / €9.8 million) last year, compared to 2012 when only 48 million yen ($461,000 / €335,000) were lost to cybercriminals.

The most commonly used pieces of malware are Infostealer.Ayufos, Infostealer.Torpplar and Infostealer.Bankeiya. In a blog post published on Thursday, Symantec researchers analyzed the operations involving Bankeiya.

Bankeiya was spotted by researchers in February when cybercriminals exploited an unpatched Internet Explorer vulnerability to distribute the malware via drive-by attacks. The first version of the Trojan was launched sometime in October 2013.

In addition to the Internet Explorer vulnerability, the cybercriminals behind this piece of malware also leveraged Java SE flaws to infect computers.

Once it infects a device, Bankeiya harvests banking information and sends it back to the attackers.

Symantec has sinkholed the command and control servers used by the attackers to harvest information. They continued to monitor them to determine the number of victims. If the company hadn’t sinkholed the C&Cs, information could have been stolen from 20,000 computers in just one week in March. Most of the infected devices were located in Hong Kong.

Additional technical information on the Bankeiya infostealer is available on Symantec’s blog.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s