Lately, I’ve been coming across several websites that infect computers with the Trojan Trj/Snatch by using exploits.
This malware not only monitors the passwords entered in the websites accessed by the user, but also has rootkit functionalities in order to remain hidden.
As most of the malware kits that are for sale, it consists of a component that generates the server files with which it infects and of a web component, which is usually hosted in a server where it is indicated the websites to monitor and where it receives the information it harvests from the infected computers.
The author of this malware can access via web in order to configure the data. This is the screen that is usually displayed in order to log in:
These are the URLs that the Trojan is monitoring from 3 different servers:
So you don't need to change the Trojan in order to update the entities that are being monitorized, just changing the URL you have it!