Security Alert: Scylex Financial Crime Kit, With Zeus-grade Capabilities
What a $7500 banking Trojan is advertised for on the Dark Web
“Do you want to make money, do you want multiply your net-worth?”
This probably sounds like a question asked by someone looking to recruit you into a multi-level marketing scheme. But the authors are actually cyber criminals.
They’re currently advertising this proposition on a notorious malicious hacker forum on the dark web called Lampeduza. This notorious dark web forum is where malicious hackers sold card information stolen in the 2014 Target data breach.
From the looks of it, cyber criminals are trying to engineer the next big thing in financial malware. Their ambition is to replicate the impact that Zeus GameOver had a few short years ago. In their own words:
The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.
Scylex financial malware – a blended threat with a development roadmap
The person who posted the advertisement calls himself “Others” and the promoted crime kit is called Scylex. With a price tag of $7,500, Scylex packs multiple functionalities that make it sound like a complex and formidable threat:
- User-mode rootkit
- Web injects
- SOCKS5 reverse proxy with backconnect capabilities
- Works without administrator privileges
- Guaranteed to work even on slow Internet connections.
But the Scylex malware creators didn’t stop here. For a “mere” $2,000 more, clients can buy new and expanded functionalities. These include SOCKS5 (Socket Secure) support, which enables attackers to manipulate data transfers between a user’s PC and a specific server through a proxy.
The “premium” package costs $10,000 and adds a HVNC (Hidden Virtual Network Computing) module to the features above.
Hidden VNC is probably one of the most complicated malware features to code and essentially requires coders to implement their own window manager, which is why there are very few unique implementations in the wild (most malware uses a single implementation unimaginatively named HVNC).
Source: Hidden VNC for Beginners (useful read for those who want to understand the tech behind this tactic)
The packages include support of up to 6-8h/day and updates, just like most malware-as-a-service offers.
The cyber criminals behind Scylex also claim that they’re working on adding new elements to the brand-new financial malware. Here’s their “roadmap”:
- Form grabber + Injects support on Microsoft Edge & Opera
- Spreader (Social networks, PE Infection, Device propagation)
- Reverse FTP (Silent file system ex-filtration) with backconnect
- ATS-Engine (to-be integrated into web-injects), we will write our own
- DDoS module (aimed for max efficiency/output like specific ddos bot)
- Click Bot (CPM/PPC).
The creators pride themselves of having developed the malware from scratch. That means not copying code from previously successful financial malware (“NOT A ZEUS/GOZI RIP-OFF!”).
What’s more, their financial motivation for creating and selling Scylex is clear from their “open arms” policy:
It is good to take note, this Trojan is aimed at users who have a solid understanding of how to monetize their network. However! We accept even beginners, and offer support for all!
It doesn’t seem to matter if buyers will know how to use Scylex or if they’ll just buy it on account of the fortunes it can potentially make. Their self-fulfilling prophecy will become true: make money and increase their net-worth.
You can read the full Scylex advertisement below, which also includes a short demo video which shows the financial malware in action against the banking colossus HSBC. Even though the video link is harmless, we’ve sanitized it and included a printscreen from it:
What is Scylex?
It’s not a copy of ZBerp like the rest of the market. It is a banking Trojan written 99% from scratch in C++. The goal is to bring back to the scene what Zeus/SpyEye, Citadel, ZeroAccess left behind, and introduce a brand new solution as well.
Do you want to make money, do you want multiply your net-worth?
Then our solution is the perfect one for you. It is good to take note, this Trojan is aimed at users who have a solid understanding of how to monetize their network. However! We accept even beginners, and offer support for all!
What is included in the package?
Stub size: 276kb (with all the below features)
(!) x86/x64 Injection through Heavens Gate Selector
User-mode rootkit (x86/x64)
Formgrabber/Webinjects (IE[8-latest]/FF[22 – latest]/Chrome[36-latest])
Socks5 reverse proxy with backconnect
* works around NAT, without admin privileges
HVNC (Hidden VNC) with backconnect (made from scratch! NOT A ZEUS/GOZI RIP-OFF! Works on XP to 10 + Servers)
* works on x86 & x64 OS, backconnect protocol is extremely fast, as well as on slow bandwidth
What will we add in the future?
Form grabber + Injects support on Microsoft Edge & Opera
Spreader (Social networks, PE Infection, Device propagation)
Reverse FTP (Silent file system ex-filtration) with backconnect
ATS-Engine (to-be integrated into web-injects), we will write our own
DDoS module (aimed for max efficiency/output like specific ddos bot)
Click Bot (CPM/PPC)
What is the cost?
All payments made are only 1 time. With this you will be provided support (6-8 hours a day), and will be entitled to updates and changes without extra cost.
Base license – video to-be added
7 500 USD – Includes Form grabber + Web injects (IE/FF/Chrome), x86/x64 user-mode rootkit, and download + execute process from memory
SOCKS5 – video to-be added
2 000 USD – Includes Socks5 extension, works around NAT filtering, with back-connect server
HVNC – https : [//] a.cocaine.ninja/vkkpew [.] mp4
10 000 USD – Includes the ONLY HVNC plugin that works on ALL versions of Windows, with a fast connection time, instant response to interaction from your end, works well even with slow bandwidths
* side note: with the addition of new features/plugins, this list will be updated accordingly!
Contact (OTR only)
option 1: [redacted] option 2: [redacted]
Without further ado, I recommend to everyone that we stay safe and work only with escrow!
Financial malware beyond ransomware
Ransomware may be stealing the spotlight right now, but it doesn’t mean things will stay the same.
So far, Scylex hasn’t been spotted in the wild, so the claims made in the advertisement posted on Lampeduza forum can’t be verified at the moment. However, both the video and the detailed description of what this new financial malware can do are strong evidence that the crime kit may indeed be real.
If so, banks and other financial institutions could once again come face to face with a cyber threat capable of creating mayhem. And given that cyber criminals move incredibly fast in comparison to law-abiding institutions, that time may come soon.
Scylex is currently under monitoring and we will update this article if additional information surfaces. Until then, we recommend you read and apply our protection guide against financial malware. It works best if translated into action sooner rather than later.
*This article features cyber intelligence provided by CSIS Security Group researchers.