Golroted targets businesses to steal financial credentials and personal information

The ‘Golroted’ Trojan spyware is increasingly targeting small and medium businesses to steal their financial login credentials and other confidential data. The targeted organizations include Government agencies and private organizations that perform financial transactions online and are primarily located in southeastern Asian and middle-eastern nations. 

This malware, which performs attacks in a similar manner as Advanced Persistent Threats (APTs), selects its targets in countries like India, Thailand, Indonesia, Malaysia, Oman, Egypt, Saudi Arabia, Ethiopia and other smaller countries. India tops the list of infected users with a 33% share, and is followed by Indonesia at 31% and Thailand at 9%.   

The virus research lab of Quick Heal Technologies, India’s leading security solutions provider, came across this malware in November 2014. Deep analysis of this Trojan spyware family, which goes by the name ‘Golroted’, led the Quick Heal research engineers to the command and control (C&C) server which is located in the United States. The cybercriminals behind this malware managed to infiltrate a server in the US infrastructure to host their C&C server and to tunnel information from victims’ systems to this server. Researchers at Quick Heal were able to crack the encryption and communication mechanism of this malware with the command center. This enabled them to further analyze the infection and publish a detailed report about its mechanism. 

According to the report, the cybercriminal gang behind this malware is running several spam campaigns that send spear phishing emails with attachments that contain either exploited Microsoft documents or zip files containing possible keyloggers. Once a user opens a malicious attachment, the keylogger collects sensitive information from the machine and sends it to a preconfigured server. It does this by uploading the data to a FTP server or by sending the data back as email attachments.

Stolen information from victims’ computers includes details of the infected computer, user’s bank details, login names and passwords and captured screenshots. The malware tracks and takes screenshots of the sites visited and documents opened, which are then uploaded to the C&C server. The passwords captured by the malware include passwords of email accounts, social media accounts, Government related sites, online banking portals and other financial services. These passwords range from accounts of prominent Indian banks to Gmail, Yahoo, Rediff and Windows Live Mail accounts. Even the passwords of online payment sites like Paytm, PayPal were also present in the list of captured passwords.

One of the primary reasons why this malware can execute its attack mechanism is the poplar usage of the automatic password save feature provided by web browsers. Since cyber crooks are using off-the-shelf keylogger tools wrapped inside cryptors for stealing information effectively, the usage of this feature can lead to a situation where all credentials for mailing services, social networking sites, banking portals and more can be stolen in a moment. Users, are therefore, advised not to save their passwords using the ‘Remember Password’ functionality provided by web browsers.