14 DAY TRIAL // Bolek is the name of a new banking trojan that has spawned from the leaked source code of the Carberp and the Zeus banking trojans. Malware coders have mixed their code to create an all-new threat that is currently going after the customers of Russian banks.
CERT Poland researchers spotted the trojan first in mid-May, when they investigated a phishing campaign originating from their country, noticing a slight resemblance between Bolek and the KBot module of Carberp.
Two days later, US security firm PhishMe expanded CERT-PL's findings with a comprehensive report on Bolek's mode of operation, also noticing the visible similarities between Bolek and Carberp.
Bolek is the most recent threat that has emerged on the financial malware market
More reports also followed, first from Russian antivirus maker Dr.Web, and then from Arbor Networks, both at the start of June. While the Arbor report focused on Bolek's C&C server communications, the Dr.Web one included a breakdown of the trojan's mode of operation, along with similarities between Bolek, Carberp, and even the ancient Zeus banking trojan.
Dr.Web's says the trojan is fully equipped for today's banking ecosystem. Bolek is able to steal login credentials from online banking applications by injecting itself into a Web browser's process, can take screenshots of the user's screen, can intercept Web traffic, can log keystrokes, or can create a local proxy server in order to transfer files out of the infected machine.
Bolek can target Microsoft Internet Explorer, Google Chrome, Opera, and Mozilla Firefox browsers, and comes with an embedded version of the Mimikatz, a known password dumping application.
Bolek's similarities to Carberp and Zeus
The part that Bolek borrowed from Carberp includes a custom virtual file system, which the trojan uses to store various files needed for its operation, in order to hide them from security software.
From Zeus, Bolek borrowed its powerful Web injection mechanism that allows it to tap into browser processes and take over the entire Web page when the user visits an online banking portal.
Furthermore, the trojan can infect both 32-bit and 64-bit Windows machines, and when instructed, it can also open a reverse connection to the attacker via RDP (Remote Desktop Protocol).
Bolek can also infect other files to spread to other computers
Despite all these deadly features, this was not the most interesting feature highlighted by Dr.Web researchers. After infecting a target, Bolek's masters can send a command to the trojan and activate a worm-like self-spreading mechanism.
This feature allows the trojan to spread to other files on the same filesystem or USB drives. Bolek has the ability to taint Windows 32-bit or 64-bit executables, which, if moved to other computers, can help the trojan spread to other targets.
"The main purpose of Trojan.Bolik.1 is to steal confidential information," Dr.Web researchers explained. "[The] functions and architecture of Trojan.Bolik.1 are very sophisticated, which makes it really dangerous for Windows users."