New banking malware up for sale

With Citadel no longer being offered for sale, a new malware named KINS is being offered on Russian malware sites for the small fee of $5,000 paid out via WebMoney. Additional modules, such as a plug-in that thwarts detection by a particular security software, are also available for up to $2,000. The ad also promises the availability of a Remote Desktop Protocol module that will allow botmasters to remotely access compromised machines. The malware attacks a compromised machine’s volume boot record, giving it machine-level access to victims.

“Underground chatter increasingly reflects the growing appetite for new, ‘real’ banking malware in the online fraud arena, featuring discussions by criminals who would eagerly welcome a new developer and jointly finance a banker project if one would only make sense to them,” said Limor Kessem of FraudAction.

“Beyond being advertised on the most exclusive venues where all other major Trojans were introduced in the past, KINS appears already to be a familiar name in the underground, its developer is responsive and further offers technical support to new customers, which has become a strong selling point for any malware vendor,” Kessem said.

“With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade quality,” Kessem said. “As that happens, anti-fraud teams around the world may be dealing with a new Trojan in the very near future.”