Meet Scylex, the New Financial Crimekit

Written by

Banking trojans have taken a backseat to ransomware lately but buckle up: A new ad has appeared on the Dark Web for Scylex, a new financial malware crime kit. Starting at $7,500, it aims to continue the Zeus Gameover legacy, but without reusing any code from it.

Heimdal Security researchers found the ad, which cyber-criminals posted on Lampedusa—that’s the underground forum where card details from the 2014 Target data breach were sold.

“Do you want to make money, do you want multiply your net-worth?” reads the ad. “Then our solution is the perfect one for you. It is good to take note, this Trojan is aimed at users who have a solid understanding of how to monetize their network. However! We accept even beginners, and offer support for all!”

The authors’ self-professed goal is to “bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.” They clearly pride themselves on ingenuity, too: “It’s not a copy of ZBerp like the rest of the market. It is a banking Trojan written 99% from scratch in C++.”

Scylex packs in multiple functionalities: User-mode rootkit; form-grabber; web injects; SOCKS5 reverse proxy with back-connect capabilities; works without administrator privileges; guaranteed to work even on slow internet connections.

For $2,000 more, clients can buy new and expanded functionalities. These include SOCKS5 support, which enables attackers to manipulate data transfers between a user’s PC and a specific server through a proxy. A premium package costs $10,000 and adds a Hidden Virtual Network Computing (HVNC) module to the mix.

“Hidden VNC is probably one of the most complicated malware features to code and essentially requires coders to implement their own window manager, which is why there are very few unique implementations in the wild (most malware uses a single implementation unimaginatively named HVNC),” explained Andra Zaharia, Heimdal security specialist, in an analysis.

The cyber-criminals behind Scylex also claim that they have a roadmap for future development, which includes: Form grabber + Injects support on Microsoft Edge & Opera; spreader (social networks, PE infection, device propagation); Reverse FTP (silent file system ex-filtration) with back-connect; ATS-Engine (to-be integrated into web-injects), “we will write our own”; DDoS module (“aimed for max efficiency/output like specific DDoS bot”); and click bot (CPM/PPC).

All in all, it sounds like the creators are going all-out, and it’s clear from the “we support all” language that they’re not picky about who uses it, as long as they pay up.

“It doesn’t seem to matter if buyers will know how to use Scylex or if they’ll just buy it on account of the fortunes it can potentially make,” Zaharia said. “Their self-fulfilling prophecy will become true: make money and increase their net-worth.”

So far, Scylex hasn’t been spotted in the wild, so the claims made in the advertisement posted on Lampeduza forum can’t be verified yet, Zaharia noted—though it’s likely that the code is real.

“If so, banks and other financial institutions could once again come face to face with a cyber-threat capable of creating mayhem,” she warned. “And given that cyber-criminals move incredibly fast in comparison to law-abiding institutions, that time may come soon.”

Photo © nicemosaic

What’s hot on Infosecurity Magazine?