F R A U D R E P O R T

BUGAT TROJAN JOINS THE MOBILE REVOLUTION

June 2013

RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat’s

developers managed to develop and deploy mobile malware designed to hijack

out-of-band authentication codes sent to bank customers via text messages.

Bugat (aka: Cridex) was discovered and sampled in the wild as early as August 2010.

This privately-owned crimeware’s earlier targets were business and corporate accounts,

its operators attempting high-value transactions ($100K-$200K USD per day) in both

automated and manual fraud schemes. It is very likely that Bugat’s operators started

seeing a diminished ability to target high-value accounts due to added authentication

challenges, forcing them to resort to developing a malware component that is already

used by many mainstream banking Trojans in the wild.

BITMO: A LITTLE LATE IN THE GAME?

In somewhat tardy fashion, Bugat joins the lineup of banking malware that makes use of

SMS capturing mobiles apps. The first occurrences of such malware were observed in use

by Zeus and SpyEye Trojan variants, which were respectively dubbed ZitMo and SPitMo

(Zeus-in-the-Mobile, SpyEye-in-the-Mobile). In mid-2012, RSA coined the name CitMo to

denote the Citadel breed of in-the-Mobile activity. The fourth Trojan for which malicious

apps were discovered was Carberp in early 2013, and with this case, Bugat is the most

recent banking Trojan to have its own SMS-forwarding app, now coined BitMo.

WEB INJECTIONS PAVE THE ROAD

Among other banking Trojan features, Bugat comes with a set of HTML injections for

online banking fraud and possesses Man-in-the-Browser script functionality. This very

feature is what allows it to interact with victims in real time and lead them to download

page 2

the BitMo mobile malware to their Android/BlackBerry/Symbian devices. iOs remains

almost entirely exempt from this type of malware since the Apple policy limits app

downloads from third party sites.

Bugat’s operators are not doing anything novel. Much as observed in the case of Citadel-

in-the-Mobile (which emerged in May 2012), the malware’s developers created classic

web injections, albeit very visually-appealing, designed to show up on the client-side

and communicate social engineering messages to the victim.

When Bugat-infected online banking customers access their financial provider’s login

page, the Trojan is triggered to dynamically pull a relevant set of injections from the

remote server, displays them to the victim and leads them to the BitMo download under

the guise of AES encryption being adopted by the bank.

The malware requests application permissions linked with the SMS relay, while the next

injection on the PC side requests that the victim enter a code appearing on the mobile

device – connecting the infected PC and the mobile handset. Once installed and

deployed BitMo begins hijacking and concealing incoming text messages from the

bank, disabling the phones’ audio alerts, and forwarding the relevant messages to its

operators’ drop zones. Bugat’s entrance to the mobile space only demonstrates the

increasing use of SMS-forwarders as part of Trojan-facilitated fraud.

IN-THE-MOBILE MALWARE EVERYWHEREAlthough the injection set created by Bugat’s developers, as well as the distribution

mechanism designed for delivering APKs/BlackBerry OS BitMo apps are indeed

sophisticated, the actual malware apps are rather basic and show no innovation.

That being said, it is very clear that all banking Trojans, both commercial and privately

operated codes, are increasingly making use of SMS-forwarders in their criminal

operation.

page 3

Phishing Attacks per Month

RSA identified 36,966 phishing attacks

launched worldwide in May, marking a

37% increase in attack volume. Trending

data shows that a rise in phishing attacks

typically occurs in Q2.

Number of Brands Attacked

In May, 351 brands were targeted in

phishing attacks, marking a 13% increase.

Two new entities suffered their first attack

in May.

0

10000

20000

30000

40000

50000

60000

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

37878

51906

59406

49488

3544033768

41834

29581 3015127463

2434726902

36966

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

May 13

0

50

100

150

200

250

300

350

400

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

298

259242

290

314

269284

257

291

257 260

311

351

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

May 13

page 4

Top Countries by Attack Volume

The U.S. remained the country most

targeted by phishing in May, absorbing

50% of the total phishing volume. The UK

held steady, once again recording 11%

of attack volume. South Africa, the

Netherlands, Canada, Australia, and

India accounted for about one-quarter

of attack volume.

UKGermanyChinaCanadaSouth KoreaAustraliaa

United Kingdom 11%

U.S. 50%

India 4%

South Africa 5%

Canada 5%

Australia 5%

Netherlands 5%

50 Other Countries 15%

US Bank Types Attacked

U.S. nationwide banks maintained the

highest volume of phishing in May while

regional banks saw a 7% increase in

phishing volume, from 12% to 19%. Since

February, the attack volumes targeting

regional banks and credit unions have

fluctuated quite a bit.

0

20

40

60

80

100

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

20% 10% 11% 11% 9% 9% 12% 6% 15% 8% 17% 15% 8%

18%

12%

15% 15% 14% 14%

9% 15%

15% 23% 23% 12% 19%

62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60% 73% 73%

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

May 13

page 5

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUS

Top Countries by Attacked Brands

U.S. brands remained the most targeted

by phishing among worldwide brands,

absorbing 30% of phishing volume in May.

UK brands were targeted by one-tenth of

phishing volume followed by India, China

and Brazil.

Top Hosting Countries

The U.S. remained the top hosting country

in May, hosting 47% of global phishing

attacks. Germany was the second top

hosting country with 8% of attacks hosted

within the country, followed by the UK, the

Netherlands, France, and Canada.

U.S. 47%

61 Other Countries 30%

Germany 8%

Canada 3%

France 3%

Netherlands 4%

United Kingdom 5%

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa

United Kingdom 9%

50 Other Countries 39%

U.S. 30%

Brazil 4%

Canada 4%

China 4%

India 6%

France 4%

www.emc.com/rsa

CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa

©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC

Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective

holders. JUN RPT 0613