Anatomy of an hVNC Attack

January 25, 2017

Anatomy of an hVNC Attack

This post was co-authored with IBM X-Force researcher Lior Keshet.
---

Top-tier financial malware like Dridex, Neverquest and Gozi offer a wide range of malicious capabilities, such as form-grabbing, screen capture, webinjections and more. One notable capability is the hidden virtual network computing (hVNC) module, which allows attackers to gain user-grade access to an infected PC. It’s no secret that banking Trojans contain remote control capabilities, but how exactly they operate them is not well-known.

Hidden virtual network computing is a tactical means for malware to control a machine without the victim’s knowledge. To illustrate, we will use our detailed technical analysis of the Gozi Trojan’s hVNC module.

VNC Basics

To understand how hidden VNC works, let’s look at an abstract of the VNC model. A VNC connection is composed of two parts: a server and a client. In this case, the server is the victim’s computer and the client is the attacker.

Check out all the details and read how we broke the Ursnif (Gozi) malware's hVNC module on this post. More here.

Comments

CushandcoMay 3, 2023 at 10:12 AM
Nice and interesting information and informative too.
blanket box
ReplyDelete
Replies

Add comment

Search This Blog

Limor Kessem, CCISO, CISM

Anatomy of an hVNC Attack

VNC Basics

Comments

Post a Comment

Popular Posts

CamuBot: New Financial Malware Targets Brazilian Banking Customers

6 months to go! White House orders federal civilian agencies to kick off their ‘post-quantum’ encryption migration work by May 4, 2023