Financial institutions have dealt with banking trojans for more than a decade, and the number of trojans targeting online banking transactions has increased dramatically during this span. This increase represents a challenge to financial institutions and their customers. Although banks have evolved their security measures to protect online transactions from fraud, attackers quickly adapt to these countermeasures and respond with sophisticated banking botnets.
Many banking trojans are used for the same purposes, although not all banking trojans are created equal. Some botnets possess sophisticated plugin-based engines, while others are primitive yet effective. Furthermore, the banking botnets' architecture ranges from a single centralized command and control (C2) server to a decentralized peer-to-peer (P2P) network.
Figure 1. Percentage of banking malware by botnet in 2013. (Source: Dell SecureWorks)
How to detect the ZeuS Banking Trojan on your computer
Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection.
With Administrator rights:
%systemroot%\system32\sdra64.exe (malware)
%systemroot%\system32\lowsec
%systemroot%\system32\lowsec\user.ds (encrypted stolen data file) %systemroot%\system32\lowsec\user.ds.lll (temporary file for stolen data) %systemroot%\system32\lowsec\local.ds (encrypted configuration file)
Without Administrator rights:
%appdata%\sdra64.exe
%appdata%\lowsec
%appdata%\lowsec\user.ds
%appdata%\lowsec\user.ds.lll
%appdata%\lowsec\local.ds
ZeuS also makes registry changes to ensure that it starts up with Administrator privileges:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
From:
"Userinit" = "C:\WINDOWS\system32\userinit.exe"
To:
"Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe"
Without Administrator rights:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Add:
"Userinit" = "C:\Documents and Settings\<user>\Application Data\sdra64.exe"
The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities.
ZeuS is sold in the criminal underground as a kit for around $3000-4000, and is likely the one malware most utilized by criminals specializing in financial fraud. ZeuS has evolved over time and includes a full arsenal of information stealing capabilities:
- Steals data submitted in HTTP forms
- Steals account credentials stored in the Windows Protected Storage
- Steals client-side X.509 public key infrastructure (PKI) certificates
- Steals FTP and POP account credentials
- Steals/deletes HTTP and Flash cookies
- Modifies the HTML pages of target websites for information stealing purposes
- Redirects victims from target web pages to attacker controlled ones
- Takes screenshots and scrapes HTML from target sites
- Searches for and uploads files from the infected computer
- Modifies the local hosts file (%systemroot%\system32\drivers\etc\hosts)
- Downloads and executes arbitrary programs
- Deletes crucial registry keys, rendering the computer unable to boot into Windows
Dyre – Targeting financial institutions:
A new banking Trojan capable of bypassing encryption to steal account credentials has been uncovered in a wave of phishing attacks using Dropbox links. According to two firms analyzing the threat, It appears to be a completely new malware family. The Dyre Trojan was uncovered by Chantilly, Va.-based PhishMe, which has been analyzing a phishing campaign that uses Dropbox links in its spam messages since April. The attacks have used a variety of malware that lures users into clicking on a Dropbox link to download a document, which ultimately infects the system with malware.
Carbanak banking malware
TOP TARGETED COUNTRIES:
Russia, USA, Germany, China, Ukraine, Canada, Taiwan, Hong-Kong, United Kingdom, Spain, Norway, India, France, Poland, Pakistan, Nepal, Morocco, The Czech Republic, Switzerland, Bulgaria, Australia, Iceland, Brazil
THE WAY OF PROPAGATION
- Social engineering
- Exploits
SPECIAL FEATURES
- First ever criminal APT
- Carbanak cybergang was able to steal $1bn from 100 financial institutions worldwide
- The plot marks the beginning of a new stage in the evolution of cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users.
- The largest sums were grabbed by hacking into banks and stealing up to ten million dollars in each raid.
TARGETS - Financial institutions
ARTEFACTS/ATTRIBUTION
-Responsibility for the robbery rests with a multinational gang of cybercriminals from Russia, Ukraine and other parts of Europe, as well as from China.
How was the malware distributed?
Attackers used spear phishing emails with malicious attachments against employees of the targeted financial institutions, in some cases sending them to their personal email addresses. We believe the attackers also used drive by download attacks, but this second assumption is still not 100% confirmed.
What is the potential impact for victims?
Based on what the attackers stole from victims, a new victim faces potential losses of up to 10 million $. However this figure is arbitrary based on what we know: nothing limits the potential loss once an institution is infected.
Who are the victims? What is the scale of the attack?
Victims are mainly institutions in the financial industry; however we have also found traces of infections in POS terminals and PR agencies. For a sense of the scale of the attack please see the different charts and maps we provide in our report.
As with many malware campaigns there are a variety of companies/individuals analyzing the malware, resulting in requests to the Command and Control server. When we analyze those servers, all we see are the IPs and possibly some additional information. When this additional information is not present, and when the IP cannot be traced back to its owner, we mark it as an infection.
Based on this approach our analysis concludes that Russia, the US, Germany and China are the most affected countries in number of traces of infection (IP addresses).
Citadel malware
Citadel is also a banking trojan that is based on the Zeus architecture and operational model. Like IceIX, Citadel is believed to be derived from the Zeus source code leaked to the public in 2011.
Development of Citadel has been robust since its introduction as a distinct malware family. Notable capabilities added include AES encryption of configuration files and communications with C2 servers, an ability to evade tracking sites, the capacity to block access to security sites on victims' systems, and the ability to record videos of victims' activities. Like Zeus and IceIX, the Citadel toolkit is made up of three parts: a builder, the actual trojan, and a C2 web panel. Table 5 lists the statistics for Citadel samples analyzed by CTU researchers in 2013.
Spyeye Banking Trojan:
Although the core functionality of spyeye is similar to its main rival zeus, spyeye incorporated many advanced tricks to try and hide its presence on the local system. The unpacked spyeye bot image can begin execution either at the entry point specified in its portable executable header, at a private (non-exported) hook procedure executed when the bot has injected itself into a new process, or at one of two private thread routines that execute when the bot has injected itself into an existing process.
Carberp Trojan
Carberp is a Trojan designed to give attackers the ability to steal private information from online banking platforms accessed by the infected PCs.
This Trojan's behavior is similar to the other financial malware in the Zeus family and displays stealth abilities from antimalware applications. Carberp is able to steal sensitive data from infected machines and download new data from command-and-control servers.
This Trojan is one of the most widely spread financial stealing malware in Russia. Primarily targeting banking systems and companies which perform a high number of financial transactions, Carberp is not only injecting a code into web pages, but it also tries to exploit several vulnerabilities in the target system so as to escalate to administrative privileges.
Distributed through the typical methods of using malicious e-mail attachments, drive-by downloads or by clicking on a deceptive pop-up window, what is different at this financial malware is the high number of legitimate web resources used to collect information and potentially make fraudulent transactions. It is indicated that cybercriminals have deployed botnets on over 25,000 infected machines.
Bugat
Bugat is another banking Trojan, with similar capabilities to Zeus – the notorious data-stealing Trojan – which is used by IT criminals to steal financial credentials.
Bugat targets an infected user's browsing activity and harvests information during online banking sessions. It can upload files from an infected computer, download and execute a list of running processes or steal FTP credentials.
Bugat communicates with a command and control server from where it receives instructions and updates to the list of financial websites it targets.
The collected information is sent to the cybercriminal's remote server.
Cybercriminals spreads the malware mostly by inserting malicious links in the e-mails they send to the targeted users. When a user clicks a malicious link, he is directed to a fraudulent website where the Bugat executable downloads on the system.
What does a typical financial attack look like?
We will start from the point where a normal machine is already infected by a credentials stealing malware. As we mentioned before, the machine may have become infected through:
- an e-mail attachment (or an e-mail link)
- a drive-by download (which occurs when visiting a website)
- a deceptive pop-up window.
The following steps usually occur in a typical financial attack:
- The user accesses his online banking account. The domain is specified in the configuration file downloaded by the malware from the malicious servers controlled by the hackers.
- The malware sends a request to the malicious servers controlled by cybercriminals and lets them know the user is trying to access the domain specified in the configuration file.
- The malicious server specifies a page on the online banking account – usually the login page – where the attack should occur.
When the user accesses the specified page, the malware sends a request to the malicious server which sends back a modified page into the user's browser. The modified page should trick the user into believing he enters his credentials in the normal page of the online banking account.
The modified page (the login page in our case) asks for user's sensitive information, such as credentials for online banking website or the credit card number.
Here's a diagram for a typical financial malware attack:
No comments:
Post a Comment