Threat Database Trojans Win32/Spy.Ranbyus

Win32/Spy.Ranbyus

By GoldSparrow in Trojans

Threat Scorecard

Threat Level: 90 % (High)
Infected Computers: 13
First Seen: December 28, 2012
Last Seen: May 26, 2022
OS(es) Affected: Windows

Win32/Spy.Ranbyus is a dangerous malware family that is being used to steal banking information. Win32/Spy.Ranbyus is being used to modify Java code in Remote Banking Systems located in Ukraine. Win32/Spy.Ranbyus is considered especially dangerous because of its abilities to outsmart a smartcard functionality in modern banking systems. Win32/Spy.Ranbyus contains components that allow Win32/Spy.Ranbyus to bypass authentication processes involved in banking transactions involving smartcard devices. Some of the latest variants of Win32/Spy.Ranbyus can modify Java code used in remote banking systems, including iBank 2, Ukraine's most popular remote banking system. Although Win32/Spy.Ranbyus infections have been observed outside of Ukraine, ESG malware analysts have observed that the great majority of Win32/Spy.Ranbyus infections are concentrated in this country.

While other banking Trojans use web injection in order to intercept and modify their victim's online banking transactions, Win32/Spy.Ranbyus instead is designed to attack banking and payment software directly. Win32/Spy.Ranbyus will first steal information from the infected computer. Then, Win32/Spy.Ranbyus is used to steal forms from certain Java software used in these kinds of banking systems. Doing this, criminals can gain access to online banking passwords and account numbers, credit card information and other information.

What Makes the Win32/Spy.Ranbyus Trojan Different from Other, Similar Banking Trojans?

These kinds of attacks themselves are not particularly new. Known as Java patching, this technique is also used by other banking Trojan families, including Carberp (another infamous banking Trojan family that can modify Java code and banking software. However, Win32/Spy.Ranbyus can affect the java code directly, bypassing the Java Virtual Machine. This is important because Win32/Spy.Ranbyus can be used to modify information on the affected statement, such as account balance, which can then allow criminals to hide their tracks. ESG security researchers have also observed that Win32/Spy.Ranbyus can block the activities of the remote banking system entirely. In its place, Win32/Spy.Ranbyus will cause a message written in Russian to appear. The translation of this message is:

'Technical work is being performed on the server, and the service may be temporarily unavailable. We apologize for the inconvenience'.

Today, Win32/Spy.Ranbyus is poised to become the inspiration for numerous copycat banking malware infections outside of Ukraine. Win32/Spy.Ranbyus is already the top banking Trojan infection in this country. To protect your computer from Win32/Spy.Ranbyus attacks, ESG malware analysts encourage using a reliable anti-malware program, online safety procedures and extra security measures when conducting online banking or other sensitive online activities.

Related Posts

Trending

Most Viewed

Loading...