14 DAY TRIAL // Symantec has been actively monitoring banking Trojans all over the world and it has even published a report on the topic called “The World of Financial Trojans.” One interesting piece of malware is Castov.
Castov, which is distributed with the aid of an exploit kit called Gongda, is designed to target South Korean financial companies and their customers. It’s worth noting that Gongda is also aimed mainly at South Korea.
Once it finds itself on a device, the Castov downloader stops antivirus solutions and retrieves an encrypted file from the command and control server.
The downloaded file, Infostealer.Castov, checks for a list of DLL files related to Korean online banking software and security. It then harvests passwords, account details, transactions, digital certificates and takes screenshots.
The digital certificates, stolen from the NPKI folder, are often used in South Korea for banking, credit card operations, insurance and other similar activities.
All the valuable information, which is enough to illegally access the victim’s accounts, is sent to a remote server.