"It could be a hoax. The gang could want to make a quick profit by signing people up and getting a startup fee," Ahuvia said. "But I personally believe from my experience in looking at the underground...[that] they just want to leverage their Trojan, which they have worked really hard in developing and perfecting."

The gang is promising to train people in the use of the malware, which RSA calls Gozi Prinimalka, which is derived from the Russian word meaning "to receive." To protect the criminals' intellectual property, accomplices would be able to use the Trojan, but won't be given the compiler necessary to build new executable files. Those files would come from the gang as anti-virus vendors discover and block older files.

While the gang is capable of running its own money-stealing botnet, Ahuvia believes it's looking for partners to make the operation harder to stop and to build a much larger and profitable network than the gang could create on its own. The upcoming operation could involve hundreds of thousands of compromised PCs, compared to only 50,000 used in the past by the Hangup Team, she said.

The scheme involves buying space on networks of compromised websites where the Trojan can be downloaded when someone visits the site or clicks on a fake ad, Ahuvia said. Once in a PC, the malware creates two files, an executable and a data file for storing the systems' IP addresses, installed software and other information.

The data would enable the gang's partners to create a replica of the victim's system on a virtual machine. After stealing the person's user ID and password, the scammers can visit a bank site and use the replica to fool the bank into believing the customer is returning.