Bebloh and Tinba are also common across several verticals

Jun 30, 2015 12:51 GMT  ·  By

A research regarding the current state of banking Trojans in corporate environment gives Dridex as the most commonly used threat across companies in multiple sectors, followed by Bebloh and Tinba.

The statistics were compiled through the first five months of the year, from communication received by sinkholes controlled by SecurityScorecard from infected computer systems of 4,703 organizations.

Sinkholes are the systems used in the malicious infrastructure to coordinate malware activity on machines compromised with a particular type of threat.

Dridex primarily found in the manufacturing and retail sectors

SecurityScorecard, a company based in New York offering security risk monitoring solutions, identified 55 malware families accounting for a total of 11,952 infections at entities in different industries.

As per observations included in a report published on Monday, Dridex recorded the highest number of infections in the manufacturing vertical, accounting for 27% of the attacks, followed by the retail sector with 20.7%.

It is also the malware piece encountered in organizations from a widest array of industries, from legal, energy, healthcare and transportation, to entities in the financial sector, education, government and entertainment.

“Manufacturing companies often purchase large quantities of raw materials from foreign countries and complete the transactions via wire transfer. Therefore, Dridex wire transfer attacks against a manufacturing company’s corporate business account are more likely to go undetected by banks and businesses,” the researchers explain, adding that transferring large amounts would be common practice and would not raise suspicions.

Bebloh and Tinba have different targets

Operators of Bebloh banking malware seem to target telecommunications and technologies companies, as infections noticed 39%, 34.1%, respectively, of the infections came from computers employed in these verticals.

Bebloh compromises in the manufacturing industry account for 7.3% of the total, less than those in the information services (9.8%) and above healthcare (4.9%).

The top three in the banking malware trend spotted by SecurityScorecard is closed by Tinba, also known as Tiny Banker. Its focus appear to be on telecommunications (69.4%), information services (16.7%), and technology companies (11.1%).

Centering activity on the telecommunications sector would indicate that attacks target individual accounts of large banks that may have wire transfer accounts, the report notes.

Based on the data gathered, researchers say that Dridex appears to be handled by more advanced actors, “with an interest in targeted attacks.” Bebloh, on the other hand, is delivered in “spray and pray” type of campaigns, which means that the threat actor does not spend too much time planning the initial attack stage.

Dridex, Bebloh and Tinba (3 Images)

Dridex infections per vertical
Technology and telecommunication sector affected by BeblohTinba mostly seen in compromises of telecommunication companies
Open gallery