14 DAY TRIAL // Security researchers from Trusteer have come across a piece of malware that, until recently, has been lurking in the “dark shadows.” The threat, dubbed i2Ninja, is a financial malware that’s similar to ZeuS, Citadel, and SpyEye.
It’s capable of grabbing form data from most major browsers and FTP clients, and injecting HTML code.
The kit also includes a mail grabber, a grabber for popular poker clients (88poker, Absolute Poker, Cake Poker, Full Tilt Poker, Party Poker, PokerStars, Titan Poker), and features that allow customers to search for specific files, and schedule DLL or EXE loading tasks.
What’s interesting about this Trojan is that it uses the I2P (Invisible Internet Project) networking layer in order to make sure that communications are secure.
I2P is somewhat similar to TOR. However, experts say that it has been designed to “maintain a true Darknet.” It can be used for anonymous browsing, messaging, file transfers and blogging.
i2Ninja uses the I2P network in order to maintain security communications between the command and control (C&C) server and infected hosts. Configuration files and stolen information travel via encrypted channels.
The malware’s authors are also offering customers an integrated helpdesk that allows users to open tickets and communicate with the support team from within the administration panel. All this is done via the I2P network.
“While some malware offerings have offered an interface with a support team in the past (Citadel and Neosploit to name two), i2Ninja’s 24/7 secure help desk channel is a first,” Trusteer’s Etay Maor noted in a blog post.
Experts say I2Ninja was advertised on Russian cybercrime forums until recently. After receiving many requests from potential clients, the Trojan’s author asked that the thread be shut down.