Cyber criminals are currently advertising this proposition on a notorious hacker forum on the dark web called Lampeduza.
From the looks of it, cyber criminals are engineering the next big thing in financial malware with the ambition replicating the impact that Zeus had a few years back.
From the horses mouth : “The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.”
Scylex financial malware – a blended threat with a development roadmap…
The person who posted the advertisement calls him (her)self “Others” and the promoted crime kit goes by the name Scylex.
With a price tag of $7,500, Scylex packs multiple functionalities that make it sound like a complex and formidable threat:
SOCKS5 reverse proxy with backconnect capabilities Works without administrator privileges Guaranteed to work even on slow Internet connections.
But the Scylex malware creators didn’t stop here. For a “mere” $2,000 more, clients can buy new and expanded functionalities.
These include SOCKS5 (Socket Secure) support, which enables attackers to manipulate data transfers between a user’s PC and a specific server through a proxy.
The “premium” package costs $10,000 and adds a HVNC (Hidden Virtual Network Computing) module to the features above.
Hidden VNC is probably one of the most complicated malware features to code and essentially requires coders to implement their own window manager, which is why there are very few unique implementations in the wild (most malware uses a single implementation known as HVNC)…
The packages include support of up to 6-8h/day and updates, just like most malware-as-a-service offers.
The cyber criminals behind Scylex also claim that they’re working on adding new elements to the brand-new financial malware.
Here’s their “roadmap”:
Form grabber + Injects support on Microsoft Edge & Opera Spreader (Social networks, PE Infection, Device propagation) Reverse FTP (Silent file system ex-filtration) with backconnect ATS-Engine (to-be integrated into web-injects), we will write our own DDoS module (aimed for max efficiency/output like specific ddos bot) Click Bot (CPM/PPC).
The creators pride themselves of having developed the malware from scratch.
That means not copying code from previously successful financial malware (“NOT A ZEUS/GOZI RIP-OFF!”).
What’s more, their financial motivation for creating and selling Scylex is clear from their “open arms” policy: It is good to take note, this Trojan is aimed at users who have a solid understanding of how to monetize their network. However! We accept even beginners, and offer support for all!
It doesn’t seem to matter if buyers will know how to use Scylex or if they’ll just buy it on account of the fortunes it can potentially make.
Their self-fulfilling prophecy will become true: make money and increase their net-worth.
Scylex? is not a copy of ZBerp like the rest of the stuff on the market, but a banking Trojan written 99% from scratch in C++.
The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.
Do you want to make money, do you want multiply your net-worth? Then our solution is the perfect one for you. It is good to take note, this Trojan is aimed at users who have a solid understanding of how to monetize their network. However! We accept even beginners, and offer support for all! What is included in the package? Stub size: 276kb (with all the below features) (!) x86/x64 Injection through Heavens Gate Selector User-mode rootkit (x86/x64) Formgrabber/Webinjects (IE[8-latest]/FF[22 – latest]/Chrome[36-latest]) Socks5 reverse proxy with backconnect * works around NAT, without admin privileges HVNC (Hidden VNC) with backconnect (made from scratch! NOT A ZEUS/GOZI RIP-OFF! Works on XP to 10 + Servers) * works on x86 & x64 OS, backconnect protocol is extremely fast, as well as on slow bandwidth What will we add in the future? Form grabber + Injects support on Microsoft Edge & Opera Spreader (Social networks, PE Infection, Device propagation) Reverse FTP (Silent file system ex-filtration) with backconnect
ATS-Engine (to-be integrated into web-injects), we will write our own
DDoS module (aimed for max efficiency/output like specific ddos bot)
Click Bot (CPM/PPC)
What is the cost?
All payments made are only 1 time. With this you will be provided support (6-8 hours a day), and will be entitled to updates and changes without extra cost.
Base license – video to-be added
7 500 USD – Includes Form grabber + Web injects (IE/FF/Chrome), x86/x64 user-mode rootkit, and download + execute process from memory
SOCKS5 – video to-be added
2 000 USD – Includes Socks5 extension, works around NAT filtering, with back-connect server
HVNC – https : [//] a.cocaine.ninja/vkkpew [.] mp4
10 000 USD – Includes the ONLY HVNC plugin that works on ALL versions of Windows, with a fast connection time, instant response to interaction from your end, works well even with slow bandwidths
* side note: with the addition of new features/plugins, this list will be updated accordingly!
Contact (OTR only)
option 1: sysenter@creep[.]im
option 2: andres22@firemail[.]cc
Submitted by psico Via diggaman.net
Additional Source material :heimdalsecurity