Online banking trojan Swatbanker has been brought into play in a second round of attacks against the German Bundestag, reports security software firm G DATA.
Investigation of the configuration files embedded in the malware have revealed that the Swatbanker botnet integrated new filter functions for the domain "Bundestag.btg" – the address of the German parliament's intranet – between 8 and 10 June 2015.
"We've seen Swatbanker a lot in Europe and especially in Germany. Attackers use German top companies really as bait," G DATA security evangelist Eddy Willems told El Reg.
It's unclear if this is a criminally motivated attack or a continuation of attacks that began at the end of May 2015. These have been blamed on Russia and are thought to be politically motivated, following Germany's support of Ukraine.
If Windows PCs infected with the Swatbanker banking trojan access the Bundestag intranet, all of the data entered into forms – plus data about the browser and the last websites visited – is transferred to the attackers. Server responses would also form part of the exfiltrated data.
German language speakers can find more details of the attacks on the German Federal Parliament (Bundestag) on the G DATA security blog here.
Chancellor Angela Merkel was the main target, or at least among the first victims, of the attack on the Bundestag, according to German tabloid Bild.
Some German media warned that the Bundestag network needs to be rebuilt in the wake of the attack, but, as El Reg previously reported, these warnings seem to be more than a tad alarmist and not reflective of the situation on the ground. ®