The Ostap Backdoor Distributes Banking Trojans

Computer security researchers have discovered the Ostap Backdoor which is used by computer hackers to distribute various banking Trojans. The backdoor initiates attacks against both computer systems and point-of-sale (POS) machines.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

The Ostap Backdoor Is a Useful Tool of the Criminal Arsenal

The Ostap backdoor is a recently discovered malware that is used by hacker groups to infect various targets with banking Trojans. Several of the reported attacks were against point-of-sale (POS) machines which is a serious concern for merchants.

Ostap uses JScript files along with a Delphi dropper which is named as MrWhite. This component checks the compromised systems for previous virus infections and downloads various payloads to the system. Click here to learn how malicious Javascript (.JS) files endanger the security of your PC.

The group behind the backdoor have utilized various Trojans such as Dridex, Ursnif and Tinba among others. The attacks were primarily against various financial institutions in countries like the United Kingdom, Germany and Austria. According to the released information the primary infection method is email spam delivered through campaigns that use social engineering tricks to fool the users into downloading the infected files. The threats are usually located inside malicious macro in Microsoft Word documents.

The volume of the attacks is not large as they are personalized according to the target. Depending on that the social engineering messages are written in either German or English. After the malicious document has been opened and closed, Ostap remains persistent on the compromised machine by adding itself to the Startup folder of the operating system. System details are sent to the remote C&C server and the malware is downloaded remotely.

The malware is used to download either a banking Trojan like Dridex or Tinba. According to the security researchers who observed the attacks the criminal operators rotate the payloads on a daily basis.

The Ostap Backdoor Delivers the MrWhite Malware

MrWhite is one of the payloads that the backdoor can deliver. This is malware that is written in the Delphi programming language. Upon infection it compares the running processes against a hardcoded list. If there is a match the process list is sent to the remote C&C server and a TinyLoader malware is downloaded to the compromised machine.

MrWhite sleeps for 120 seconds and then combines the hardcoded list into a single string which is then reversed. A specific string from this generated value is reversed once again and a command is run which produces the list of running processes in a comma-separated format. This is the output which is sent to the remote C&C servers over a HTTPS connection.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *