Bolek

Bolek is a banking trojan that is considered to be a successor of the Carberp and Zeus trojans. Bolek targets 32-bit and 64-bit Windows systems and implements advanced features, including stealing login credentials, web injections, keylogging functions, and intercepting traffic. By intercepting function calls, Bolek can intercept traffic in Chrome, Internet Explorer, Mozilla Firefox, and Opera browsers. Unlike most trojans, Bolek possesses worm-like capabilities and can self-propagate from one system to another. The operators can update the malware according to the behavior that best fits their needs. The malware communicates with a C2 server over HTTP POST requests encrypted with AES CBC 128. All transmitted data is encrypted with a special algorithm and then compressed using the zlib library. Each time the malware infects a PC, it creates a randomly-named file folder in the Windows System32 directory with an .exe file, a .ddl file, and a file with a random extension. This malware is mainly targeting Russian banks but it has been spotted in some attacks against Polish users.

Reporting

  • June 2016: Article on Bolek's self-spreading capability. (Softpedia)

Technical Details

  • Arbor Networks provides technical details on the Bolek trojan, available here