Dorkbot, a 6-year-old banking malware has resurfaced in the wild to become a major threat, according to recent reports.
The Dorkbot banking malware reportedly started its malicious activity back in 2012 but now it seems as if this virus has started to attack banks once again. This updated version of Dorkbot was ranked second in the world back in 2012 and according to Check Point’s report it may now be back to wreak havoc and cause damage to banking institutions on a major level.
What Is Dorkbot?
Dorkbot is a banking malware which was used by hackers to target Skype accounts as well as Facebook and Twitter accounts. The malware has been reported to try to trick victims to download an archive which contained a message in it, called “Is this your new profile pic?”. The .zip attachment was opened by the victim and then the malware locked the victimized computer. But this is not all that it does, as the Dorkbot locks the computer into a botnet infection and the contacts of the victims are sent to the malicious archive.
The virus has evolved in a new updated variant which basically makes it an advanced RAT (Remote Access Trojan), which is configured to steal user information, such as:
- Passwords and account names.
- Keystrokes typed.
- Logged in details when the user attempts to log in a banking site.
According to Check Point researchers, the malware was created to allow the attacker controlling it capabilities to perform remote code execution attacks with the primary idea to manually steal saved sensitive banking data. This means that the hacker may even be able to look into your computer’s history to check for passwords or data you have previously entered. The new injection capabilities, used by the malware has been detected behind the name Early Bird and it is basically a way of obfuscating the malware and allowing it to avoid being detected by any antivirus and security software.
The today’s variant of Dorkbot is quite more advanced and it impressed even analysts at CheckPoint, who also mentioned other well known banking infections in their report.
Dorkbot’s Activity
The original activity of Dorkbot drops multiple files, in the %AppData% and %Temp% directories and among those files are worm infection files, that allow it to automatically spread across different machines. In addition to this, Dorkbot may also heavily modify the Windows registry sub-keys, as Microsoft report in their analysis of the malware. The virus primarily attacks the Run and RunOnce sub-keys where it creates registry entries for all of it’s executable files to automatically run when you start Windows. The files are different for the different variants of Dorkbot, but primarily may be the following:
→ %APPDATA%\c731200
%APPDATA%\ScreenSaverPro.scr
%APPDATA%\temp.bin
%APPDATA%\update\explorer.exe
%APPDATA%\update\cleaner.exe
%APPDATA%\update\update.exe
%APPDATA%\windowsupdate\updater.exe
%APPDATA%\windowsupdate\live.exe
%APPDATA%\Windows Live\
%TEMP%\Adobe\Reader_sl.exe
%TEMP%\c731200
The virus also has a folder, called RECYCLER, which uses all possible USB drives and registers them as a way to propagate into flash drives. The malware also uses backdoor access and control, so banks are advised to beware as it may spread in new and more clever ways.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me: