The Stabuniq malware appears to just be performing reconnaissance for now
Security researchers from Symantec have identified an information-stealing Trojan program known as Stabuniq that was used to infect computer servers belonging to various U.S. financial institutions.
Dubbed Stabuniq, the Trojan program was found on mail servers, firewalls, proxy servers, and gateways belonging to U.S. financial institutions, including banking firms and credit unions, Symantec software engineer Fred Gutierrez said Friday in a blog post.
“Approximately half of unique IP addresses found with Trojan.Stabuniq belong to home users,” Gutierrez said. “Another 11 percent belong to companies that deal with Internet security (due, perhaps, to these companies performing analysis of the threat). A staggering 39 percent, however, belong to financial institutions.”
Based on a map showing the threat’s distribution in the U.S. that was published by Symantec, the vast majority of systems infected with Stabuniq are located in the eastern half of the country, with strong concentrations in the New York and Chicago areas.
Compared to other Trojan programs, Stabuniq infected a relatively small number of computers, which seems to suggest that its authors might have targeted specific individuals and organizations, Gutierrez said.
The malware was distributed using a combination of spam emails and malicious websites that hosted Web exploit toolkits. Such toolkits are commonly used to silently install malware on Web users’ computers by exploiting vulnerabilities in outdated browser plug-ins like Flash Player, Adobe Reader or Java.
Once installed, the Stabuniq Trojan program collects information about the compromised computer, like its name, running processes, OS and service pack version, assigned IP (Internet Protocol) address and sends this information to command-and-control (C&C) servers operated by the attackers.
“At this stage we believe the malware authors may simply be gathering information,” Gutierrez said.