Researchers from Dutch security firm Fox-IT have published a detailed report on the botnet known as Pobelka, a threat that mainly targets users from Germany and the Netherlands.Pobelka is a medium-size botnet, and it’s one of the many threats currently active in the Netherlands.
The masterminds behind Pobelka are relying on the Citadel Trojan to steal sensitive information, particularly online banking details. However, before starting to utilize Citadel in February 2012, they were relying on another notorious piece of malware, SpyEye.
The attackers are relying on a kit called Bentpanel, which was also spotted in cybercriminal campaigns that targeted US banks back in 2011.
“The actual Bentpanel attack was offered both as a service on a hosted infrastructure, but also was separately sold as a kit which an attacker could install on his own server. The purpose of the attack is to allow account hijacking, a technique which is far from new and was used to attack banks using two factor transaction signing as far back as 2007,” the report notes.
As far as the mastermind of the botnet is concerned, experts say he uses the online handle “Finist.” They believe he’s mainly selling the banking information he collects but, on some occasions, he also performs fraudulent transfers himself.
“Lately we have not observed any activity directly tied to Finist, however he is still active on Jabber so possibly he has found himself some new targets to attack,” the experts explain.
“For well over a year however he has attacked Dutch Internet users, but with him are many others, and this problem not only exists in The Netherlands, but is active globally and is growing at an exponential rate.”
The detailed report on the Pobelka botnet is available here.