CERT Polska (Polish National CERT) has released a discovery of theirs this week in a blog post, a new banking malware strain dubbed VBKlip. This bot does not use any network communications and registry entries, and targets online banking Polish users.
As you might have guessed this new strain is written in VB.NET which has been ciritized in the malware coding community for years. None of the three samples that they were able to obtain where recognized by any of the antivirus solutions provided on VirusTotal. This is just what makes this threat particularly dangerous towards the users. The new malware distributes as “Adobe Flash Player” and contains the same icon as Adobe’s installer.
This is how it works:
“This edition of VBKlip is very simple. First, it creates a Form, which has one of the dimensions set to zero. It also sets “ShowInTaskbar to false”, which leads to the malware not being visible in the system, unless users open the Task Manager.
Next, it uses the “Microsoft.VisualBasic.MyServices.ClipboardProxy” class in order to manipulate the content of the Windows Clipboard. Every second (with the help of “Timer” class) it compares the contents of clipboard to two Visual Basic regular expressions: “##########################” or “## #### #### #### #### #### ####”. This is a standard format of Bank Account Numbers used in Poland. If the content matches any of these regular expressions, it is substituted with another bank account number which is simply hardcoded in the application itself. This is the whole functionality of this malware.”