God horses are floating clouds: The story of a Chinese banker Trojan
In China these days, e-commerce has become an important part of daily life, especially among young people. According to a report from CNNIC (China Internet Network Information Center), the number of Chinese e-commerce users reached 242 million at the end of the December 2012. This is nearly half of all Chinese internet users.
Because of this, many Chinese cyber-criminals changed their business from stealing QQ numbers or virtual assets in online games to stealing money during the online trading. In October, People’s Daily, the official newspaper of the Communist Party of China, reported that a group of cybercriminals were arrested in connection with a Trojan targeting the e-commerce users. The Trojan, detected by Kaspersky Lab as trojan-Banker.Win32.Bancyn.a, was named ‘Floating Cloud’, and was used to steal several millions of dollars from e-commerce users.
The name ‘Floating Cloud’, ‘浮云’ in Chinese, comes from a very popular saying among Chinese internet users ‘神马都是浮云’. The direct translation is ‘God horses are always floating clouds’, which means everything flows away in haste like floating clouds. But here, the floating cloud is not a God horse but a Trojan horse. And the ‘Floating Cloud’ was written in EAZY programming language in which programs can be written totally in Chinese.
To distribute the Trojan, cyber-criminals often masquerade as sellers. When the customer/target
asks for information about the merchandise, they send a zip archive with the names like ‘detail information’ which purports to contain a few pictures depicting the merchandise. But among these pictures, there is an executable file with the icon of image files. If the customer wants to take a look at this ‘picture’ file and double clicks it, the Trojan will run.