Banking trojan used in a second round attack against Bundestag

June 18, 2015  By Pierluigi Paganini


Security researchers at the GData security firm discovered a second stage of the cyber attack on the German Bundestag that exploited a banking trojan to steal data.

In the last weeks, I have reported the various news related to the cyber attack against the Bundestag and a possible involvement of Russian state-sponsored hackers. The media reported that hackers used a sophisticated malware difficult to eradicate from more than 20,000 computers belonging to the German Bundestag.

Security experts at security firm GData spotted a second round of the cyber attack on the German parliament Bundestag, the attackers used a variant of the online banking trojan Swatbanker.

The Swatbanker is a data stealer malware that gathers various kinds of data from the infected machine, including data entered by users into forms and list of last web sites visited by the victims.

The researchers discovered that the operators behind the Swatbanker botnet have integrated new filter functions for the domain “Bundestag.btg,”which is the address of the German parliament’s intranet, between 8 and 10 June 2015.

Bundestag 2

“At the current time it is unclear whether this is a new, criminally motivated attack or a continuation of the attacks that came to light at the end of May 2015. The G DATA analyses show that new variants of the online banking Trojan Swatbanker have been used. Investigation of the configuration files embedded in the malware has shown that the operators of the Swatbanker botnet integrated new filter functions for the domain “Bundestag.btg” between 8 and 10 June 2015. This is the address for the Bundestag’s intranet.” states the Blog post published by GDATA.

The experts have no evidence that this new wave of attack is linked to the previous one or that it is conducted by a criminally motivated group.

“According to initial analyses, we can assume this is a criminally motivated attack. However, it must also be said that it might be an extension of an existing attack that is simply disguising itself as an “eCrime” copycat.” said Ralf Benzmüller, head of G DATA Security Labs.

“Such data can then be used to attack the relevant server directly,” assesses Ralf Benzmüller.

GData published a technical report related to the last discovery related about the attacks on the German Federal Parliament (Bundestag).

Pierluigi Paganini

(Security Affairs –  State Sponsored hacking, Bundestag)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

More than 600 million Samsung S devices open to hack

 More than 600 million Samsung S devices could be opened to cyber attacks because a flaw in the validation of language pack...