Fortscale’s Latest Discovery “R0b1N H00d” Malware Does Pretty Much Exactly What You’d Think

R0b1n H00d malware April 1

01 Apr Fortscale’s Latest Discovery “R0b1N H00d” Malware Does Pretty Much Exactly What You’d Think


R0b1n H00dSan Mateo, CA – April 1, 2016 – Researchers at Fortscale, the security pioneer in machine-learning user behavior analytics (UBA), issued warnings to major online banking and payment customers of the emergence of a new class of malware making the rounds among disgruntled insiders. The trojan, which is commented inside the code as “R0b1N H00d”, triggers small cash transfers to charitable organizations, without the user’s knowledge. In most cases, the transfers are small – under $2 – and tag themselves as “ATM fees” or “Account Verification transactions”. But when the Trojan encounters accounts with high activity or top 1% balances, the malware-triggered donations jumped in size, in some cases to over $500 apiece.

“We thought something was fishy,” said Gloria Stivic, executive director at the American Inner City Schools Foundation. “All of a sudden our account was getting hundreds of these incoming one- and two-dollar deposits signed ‘R0b1N H00d’. And then the bigger ones started to come in, from folks we’ve never seen before on our mailing lists. At first, we thought it was social-media driven – I mean, our kids are in desperate need, and we could really use the cash. But the money kept coming in, and since we don’t have a security team of our our own, we asked around, and eventually got pointed to the insider threat experts at Fortscale. They figured it out.”

At least two dozen charities across the United States and Canada have reported receiving similar ‘R0b1N H00d’ donations in the past three weeks. Whomever the malware coder(s) are; they seem to prefer progressive causes. While online forums indicate donations to Planned Parenthood, the American Civil Liberties Union and the Human Rights Campaign, traditionally conservative causes including the National Rifle Association, Focus on the Family and the Heritage Foundation haven’t been sharing in the spoils.

Like other sophisticated malware, the new Trojan seems to have been deployed by insiders with privileged credentials, leveraging chunks of code from APTs like Stuxnet and Flame to traverse network boundaries and quickly proliferate to other devices. Fortscale researchers said the malware is surprisingly sophisticated when it comes to targeting investment bankers, venture capitalists and celebrity bad-boys. The Trojan usually lies dormant. But its code finds indications of high net worth, the malware detonates and begins small automated transfers to a predetermined list of charities. If smaller transactions succeed, progressively larger transactions are attempted.

The evolution of insider-deployed malware has closely paralleled the “shadow IT” and the relative newness of internal monitoring systems like Fortscale’s User Behavior Analytics platform. But experts say insider threats are proliferating at least twice as fast as external malware did in the 2000’s.

“Most insider Trojans we’ve seen are looking to make make money,” said Fortscale CEO Idan Tendler, “this is the first example of ‘guerilla charity” code that we’ve seen – and it probably won’t be the last.”

Individuals who think they might already be infected can download a free utility that will scan your workstation for Rob1n H00d, and remove it, if found.

About Fortscale

Fortscale ends insider threats with a totally new generation of rule-free, autonomous behavior analytics based on machine learning. With no rules to set up, Fortscale’s user behavior analytics engine starts getting smarter the second you turn it on. Fortscale models your users and systems autonomously, on-the-fly. Fortscale spots anomalous behavior quickly, accurately and doesn’t need constant “babysitting.” The company is backed by Intel and Blumberg Capital, Fortscale ends insider threats, lowers analyst stress-levels and makes your whole security operation work a whole lot better. For more information, visit

Analyzed R0b1N H00d Samples  |  R0b1N H00d Behavioral Analysis

Download R0b1N H00d Malware Removal Tool

Media Contact
Donna Loughlin-Michaels

First-generation (rule-dependent) UBA systems suck. So I built a better one. Occasionally I blog . . .
(Visited 270 times, 1 visits today)