Banking Trojan "Marcher" Targets European Banks, GMail and PayPal

A threat offered on Russian underground forums since late 2013 known as "Marcher", currently retails for roughly $5,000. The malware initially focused on banks in Germany, but the list of targets was later expanded to include France, Poland, Turkey, the United States, Australia, Spain, Austria and others. IBM Security reported in early June that nine major banks in the UK had also been added to the list of targets. Samples analyzed by PhishLabs this month target the customers of 66 companies, including 62 banks, Google email services and PayPal. IBM reported earlier this month that the United States was the sixth most targeted country, but PhishLabs said on Thursday that the Marcher Samples  it has analyzed don’t target the U.S. “Because the malware can be customized for each individual actor, it is possible that other Marcher samples may include different targets and regions. Expanded targeting seems likely in future based upon this capability,” PhishLabs researchers explained. Depending on the cybercrime group that is using it, Marcher can be delivered via SMS messages, mobile adware, social media websites or spam emails. The newest samples analyzed by PhishLabs have been distributed as Adobe Flash Player installers. Similar to GM Bot and other Android banking Trojans, Marcher has been using custom overlay screens to steal information from victims. While the Trojan has mostly targeted banking applications, it’s also capable of stealing user data from airline, payment, e-commerce and direct marketing apps. How can this Russian malware be mitigated? Send your recommendations to the Cloud and Cyber Security Center: