Trojan-Banker.Win32.Shiotob

Detect Date 06/03/2016
Class Trojan-Banker
Platform Win32
Description

Trojan-Banker.Win32.Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments, this malware was first discovered in 2009.

Trojan-Banker.Win32.Shiotob has the following main capabilities:
• Stealing passwords from FTP clients and email
• Sending the URLs of websites that have been visited by the user
• Taking and sending screenshots
• Substituting web page contents
• Stealing data entered in browser forms
• Sending the Windows address book
• Downloading and running other malware

The addresses of additional command-and-control servers are generated using the main server addresses coded in the body of the Trojan itself. Server communication uses secure HTTPS with additional AES encryption and RSA encryption for key exchange. The Trojan is notable in that it runs only in the memory of other processes, such as a web browser, FTP client, or Windows file manager. All changes by the malware to the Registry and the hard disk occur only when the computer is restarted or shut down.

Geographical distribution of attacks by the Trojan-Banker.Win32.Shiotob family


Geographical distribution of attacks during the period from 03 June 2015 to 03 June 2016

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Japan 64.05
2 Germany 26.70
3 Austria 1.36
4 Russian Federation 1.05
5 Vietnam 0.62
6 Italy 0.55
7 Switzerland 0.51
8 Spain 0.48
9 France 0.41
10 Netherlands 0.35

* Percentage among all unique Kaspersky users worldwide attacked by this malware