ESET finds Remtasu malware, spread via piracy websites, expanded from compromising online banking, to stealing Facebook passwords.
ESET has been tracking the cunning Remtasu malware for well over a year now. What was initially malware that mainly targeted digital certificates, in many cases those used by online banking, has now also been found snooping after peoples’ Facebook login details.
Win32/Remtasu is a Trojan that steals sensitive information, notably using a keylogger. The latest variant also has the specific feature of opening and obtaining information the user has in their clipboard. As well as being able to access this data, the malicious code can capture keystrokes and store all the information in a file which is subsequently sent to an FTP server, where the cybercriminals can analyse and abuse the captured victim’s data.
In the first weeks of 2016, ESET has witnessed 24 different variants of this family of malicious code being spread. Although the current malware is from the same family as the one encountered last year, the way it’s being spread is different. We are no longer seeing propagation through e-mail, but instead infecting from direct download sites (usually with pirated content). Once a user downloads and executes the infected file, their data is compromised.
ESET warns that although having security software can help in detecting malicious content that tries to download itself, as ESET detects the Win32/Remtasu family of malware, being careful about what you click on will always bring further protection against such threats.
by Camilo Gutiérrez Amaya, ESET Latin America and Urban Schrott, ESET Ireland