Anatomy of an hVNC Attack
This post was co-authored with IBM X-Force researcher Lior Keshet.
---
---
Top-tier
financial malware like Dridex, Neverquest and Gozi offer a wide range of
malicious capabilities, such as form-grabbing, screen capture, webinjections
and more. One notable capability is the hidden virtual network computing (hVNC)
module, which allows attackers to gain user-grade access to an infected PC.
It’s no secret that banking Trojans contain remote control capabilities, but
how exactly they operate them is not well-known.
Hidden
virtual network computing is a tactical means for malware to control a machine
without the victim’s knowledge. To illustrate, we will use our detailed
technical analysis of the Gozi Trojan’s hVNC module.
VNC Basics
To
understand how hidden VNC works, let’s look at an abstract of the VNC model. A
VNC connection is composed of two parts: a server and a client. In this case,
the server is the victim’s computer and the client is the attacker.
Check out all the details and read how we broke the Ursnif (Gozi) malware's hVNC module on this post. More here.
Nice and interesting information and informative too.
ReplyDeleteblanket box