Sceptive has found a new brand of malware called SmallB during an incident investigation. After initial analysis, we have detected C&C servers for the malware but could not find any major clue about whereabouts or origins of the attackers. Due to our contact with service providers and financial corporations and banks that malware targeted, we observed that C&C servers went down immediately without a trace.
Main targets are mostly Eastern European and Turkish financial institutions including stock brokerage firms and commercial banks. SmallB injects various methods into login pages to pass over two-factor-authentication to retrieve confidential information and access to account pages.
It is spotted that attackers was using zero-day exploits such as CVE-2015-3113 and CVE-2016-1001 for Adobe Flash Player and CVE-2016-0034 for Silverlight on server-side to install SmallB to the victims. Also it uses RDP protocol attacks to transfer itself from one victim to another. And copies itself to shared folders and other drives to get incidentally run by other victims.