Bolek malware– the latest generation of financial Trojan

October 24, 2016
financial Trojan

Bolek malware is a new generation of financial trojan with an increased level of sophisitcation and stealth. Bolek was documented by the Polska CERT team in 2016 and named after a local cartoon character – “Bolek”, but this is no children’s show. Bolek’s primary function is targeting banks to steal login credentials from online banking applications.

Stealth Mode

When Bolek executes on the infected PC the malware creates a randomly-named file folder in the Windows System32 directory and places three files in it. These files include a randomly-named .exe (a system app copied from system32), a .dll (imported by the exe at first runtime), and another file with a different, also random, file extension. The malware modifies the DLL by injecting malicious code into DllEntryPoint and other functions and leverages the legitimacy of the executable and its imported .dll for persistence. This provides the financial Trojan a high degree of stealth.

The Bolek malware has a unique and worrisome route to infect new users. It has been widely documented that Bolek can be configured to become a worm. This gives the financial Trojan a unique ability to self-propagate from device to another. Features of the new malware are also broadened to target both 32-bit and 64-bit versions of Windows giving this trojan a wide target audience.

indexBolek malware has evolved from two precursors – Carberp and Zeus malware, so it has a good family pedigree! Both Zeus and Carberp source code was leaked into the public domain in 2012 and 2013 respectively. This has afforded the malware developers a great opportunity to build the latest family of arsenal.

Carpberp stealth function was copied to develop Bolek’s system for customizing the virtual file system used to hide key files from on-board security systems. Zeus web injection mechanism was copied to provide Bolek an ability to hijack browser processes and compromise entire webpages when users visit online banking portals.

The Bolek web injection function is bolstered via traffic interception, the ability to take screenshots and execute keyloggings.

Bolek secures it’s communication with the C2 server via a reverse remote desktop protocol (RDP) connection. The malware can also import persistent .dll files to trick devices into accepting the code as legitimate.

About the author

Leave a Reply