Trojan-Banker.Win32.Shiotob is a banking Trojan also known as URLZone and Bebloh. Most often spread in email attachments, this malware was first discovered in 2009.
Trojan-Banker.Win32.Shiotob has the following main capabilities:
The addresses of additional command-and-control servers are generated using the main server addresses coded in the body of the Trojan itself. Server communication uses secure HTTPS with additional AES encryption and RSA encryption for key exchange. The Trojan is notable in that it runs only in the memory of other processes, such as a web browser, FTP client, or Windows file manager. All changes by the malware to the Registry and the hard disk occur only when the computer is restarted or shut down.
Geographical distribution of attacks by the Trojan-Banker.Win32.Shiotob family
Top 10 countries with most attacked users (% of total attacks)
* Percentage among all unique Kaspersky users worldwide attacked by this malware