Malware Analysis Report

January 2014

Cridex Cross-device Malware

PROPRIETARY & CONFIDENTIAL
The material in this report is strictly confidential and contains proprietary information and ideas of F5 INC. It
should not be provided to anyone without written consent from F5 INC

REPORT
Malware Analysis

Contents
Introduction .............................................................................................................................................................................. 3
The Threat ................................................................................................................................................................................ 4
Trojans ..................................................................................................................................................................................... 4
Script injections ...................................................................................................................................................................... 4
Summary of the Attack............................................................................................................................................................ 5
Infection Details ...................................................................................................................................................................... 6
Blackhole Origins .................................................................................................................................................................... 6
Analysis of the EXE file ........................................................................................................................................................... 11
Anti-Virus Scanning Results .................................................................................................................................................. 12
Cridex Configurations.............................................................................................................................................................. 14
The Injected Code ................................................................................................................................................................. 18
Infected User Interaction ......................................................................................................................................................... 20
Details and Detection Ratio ................................................................................................................................................... 27
Anti Virus Scanning Results ............................................................................................................................................... 27
Required Permissions ........................................................................................................................................................... 29
Attack Takedown ................................................................................................................................................................... 30
Counter-measures................................................................................................................................................................. 32
AppendixF5s solution .......................................................................................................................................................... 33

REPORT
Malware Analysis

Introduction
F5 eliminates online identity theft by preventing phishing, Trojan and pharming attacks in
real time, through the implementation of advanced encryption and identification
mechanisms. F5 offers products and services that complement existing anti-fraud
technologies, improving the clients protection against the aforementioned malicious
activity and providing an encompassing defense mechanism. F5 Se c urit y products are
customized to the needs of each client individually.
F5 enables financial organizations working online to gain control over areas that were
virtually unreachable and indefensible up till now, and neutralize local threats found on their
clients personal computers, without requiring the installation of software on the end user
side. The transparent solution does not alter the user experience in any way, facilitating a
seamless installation on the firms web sites.
F5s one-of-a-kind solution has proven its exceptional effectiveness time and again in a
large number of financial institutions worldwide, helping them prevent harm to their brand
image and avoid significant economic damage.
Furthermore, F5 provides professional services and advanced research capabilities in the
field of cybercrime including malware, Trojan horses, viruses etc.

REPORT
Malware Analysis

The Threat
Trojans
Trojans are malware that appears to the user, to perform a desirable function but (perhaps
in addition to the expected function) steals information or harms the system.
Two main techniques used by Trojans in order to steal the users credentials or initiate money
transactions on their behalf are:

Modifying the websites client side webpage.

Sniffing the browsers activity for information which is sent to different banks,
before the packets are encrypted by SSL.

F5s knowledge is based on extensive research into the several forms of Trojan infections,
experience with cleaning infections and repairing the damage caused by zero-day threats.
Our deep understanding of how the malware works is the key to producing the right
defense mechanisms required to safeguard the information transmitted between the client
and the organization.

Script injections
Recently several eBanking Trojan horses (i.e Zeus, Cridex, Citadel) started using script
injection techniques in order to modify the original web page. The modification may enable
the attacker to perform money transactions using the victimized users credentials. This
may be perpetrated by a Trojan horse injecting a malicious JavaScript code to the clients
browser, once the client is connected to the website. The code that is injected performs
different functions, including attempting a money transfer from the clients account.
In order to maintain the information sent by the Trojans, the attackers have developed
different types of command and control systems that enable them to grab and manage the
information sent by the Trojan. The systems are usually PHP based systems accompanied
by an SQL database.

REPORT
Malware Analysis

Summary of the Attack

The attack is made in order to infect users devices with a cross-device Cridex eBanking
Trojan. The user is utilizing a few known methods in order to overcome the users ability to
detect the attack and to bypass the need of the user to confirm the installation of the Trojan.
The stages of the attack:

1. The user receives an email from the attacker containing a link.

2. The user clicks on the link.
3. The browser is requesting a page from a remote Blackhole exploit kit.
4. The Blackhole exploit kit scans the users browser for vulnerabilities and injects
the page with a PDF file.
5. The PDF file running on the users browser downloads the Trojan and installs it on
the users machine utilizing an Adobe Acrobat Reader vulnerability.
6.

Once entering his eBanking account, the user asked to enter his smartphone
number.

7. A link is sent to the user device asking him to install a malicious application.
8. The users submitted credentials and personal information are captured by the
Trojan and sent to a remote DropZone and at the same time automatic
monetary transaction initiated by the attacker

REPORT
Malware Analysis

Infection Details
Blackhole Origins
This is the blackhole origin and infectious pages:
URL: hxxp://kaarqo.releasesmanaged.com.au/TARGETED_BANK/
IP: 69.197.18.174
Country of origin: United Sates of America
URL: hxxp://ftegu9.votersparty.net/TARGETED_BANK/
IP: 208.70.150.9
Country of origin: United Sates of America
URL: hxxp://5b0y1y.siens.com.br/TARGETED_BANK/
IP: 186.215.182.21
Country of origin: Brazil
URL: hxxp://tryidon.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://motott.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://vkokoi.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://basanaj.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://byuhera.ru/TARGETED_BANK/
IP: 5.254.96.218
Country of origin: Romania

REPORT
Malware Analysis

The Email Sent To the Victim

Sample of one, out of many, infection e-mails sent by the attacker to a distribution list gathered online:

The user click on the link and

download a ZIP file

REPORT
Malware Analysis

ZIP file name: "Weitere_Informationen_zum_Transaktions_TARGETED_BANK"

The user installs the malicious

executable file

REPORT
Malware Analysis

Once the user click on the PDF file, an obfuscated JavaScript is running in the
system. The JavaScript runs a page of the infamous Blackhole exploit kit, which
leads to the installation of the Trojan horse on the user's system thought an
Acrobat reader vulnerability exploit.
Once that PHP is running on the user's browser, his system is scanned for browser
vulnerabilities and the user is injected with a payload infected PDF file.
Sample from the code:

REPORT
Malware Analysis

10

REPORT
Malware Analysis

Analysis of the EXE file

Properties

11

REPORT
Malware Analysis

Anti-Virus Scanning Results

12

REPORT
Malware Analysis

Executing the EXE file will reveal that it is indeed a variant of the Cridex Banking Trojan.
HIGH

Severity:

The following malware is a password-stealing Trojan equipped with the following features:

Known for installing fake SSL certificates to mislead users in SSL transactions.

Data capturing abilityincluding banking passwords.

Opening a new TCP port connection to send the information.

HTML injections.

Stealing the victims computer information:

IMAP/POP3/SMTP username, passwords, server information from mail clients.

Bookmarks.

E-mail addresses from the Windows Address Book.

13

REPORT
Malware Analysis

Cridex Configurations
The Cridex Trojan is a MITB type of Trojan that is able to detect the website the user is
visiting and inject the dedicated code to the users web browser. It also has the ability to
capture the users submitted information and forms and deliver it to the attackers dropzone.
In order to infect the user, the EXE file is known to be sent via email spam such as UPS fake
orders, postal services, Groupon and many more. Once the user downloads the EXE and
executes it, the Trojan is activated and it installs itself on the victims machine.
The Trojan also modifies the victims registry; the new values also include the Trojans
configuration file. The set value is hexadecimal and can be de-obfuscated.
Sample of the obfuscated configuration file:

14

REPORT
Malware Analysis

Sample of the de-obfuscated configuration file:

As can be seen in the de-obfuscated code above, the Trojan target vast amount of
financial institutions worldwide.

15

REPORT
Malware Analysis

The C&C of Trojan can be seen while monitoring the traffic:

hxxp://portasible.ru/BUYee/+jHKSCAAAA/xyVpBAAAAA

DNS Query: portasible.ru

The servers IP: 37.235.48.69

Whois information

The DropZone can detected in the injected code:

16

REPORT
Malware Analysis

DNS Query: tstore.mobi

The servers IP 37.235.53.202

The information captured by the Trojan is saved on a local log file of the Trojan and delivered
to the attacker's DropZone. The saved logs include the saved webpage (coded by base64),
the captured URLs and all of the submitted information.

17

REPORT
Malware Analysis

The Injected Code

As the Trojan is a generic one that attacks vast amount of financial institutions
worldwide it includes couple of JavaScripts that only few will be activated depends on
the user eBanking account.
Not as seen before with this kind of Trojan variants, the code is injected into
internal webpages of the bank and NOT into the login page loaded by the user
at the beginning of the session.
Below is a sample of the injected code. Each JavaScript is triggered by the browser
depends on the targeted internal URL.

18

REPORT
Malware Analysis

The injected code is communicating with another malicious server located at:

DNS Query:

start-ssecurity.com

The servers IP 62.75.196.133

19

REPORT
Malware Analysis

Infected User Interaction

Once the user ends the login session and entered his eBanking account the Trojan inject the
relevant code according to the relevant financial institution. This specific Trojan is modified to
use IBM recent security company acquisition Trusteer to make the users think that the
bank started to use Trusteer security solutions and ask them to download the company
security mobile application .

20

REPORT
Malware Analysis

1)

The user sees the bank notification regarding the new security solution and asked to
download an application to his mobile device.

2)

Clicking on the DOWNLOAD button will pop up a new notification asking the user to enter his
phone number and choose his mobile device

21

REPORT
Malware Analysis

3)

The user receive an SMS to his smartphone, contains a link to download the
application.
hxxp://mobiletrusteer.mobi/TARGETED_BANK.apk

4)

Clicking the SMS link will install the malicious application on the user smartphone, then
the user is asked to activate it by enabling administrator permissions to the mobile
Trojan.

22

REPORT
Malware Analysis

On being launched, the application sends an SMS message to the attacker mobile number:

+447781470730

5)

A window is displayed to the user as he is requested to enter his password and

password verification

23

REPORT
Malware Analysis

When the user clicks the submit button, the application compares between the password and
the password verification field without sending any data to the attacker. In case of a match, the
user will see on his smartphone the confirmation code screen.

6)

The victim "confirmation code":

24

REPORT
Malware Analysis

Then, the user is asked to enter it in the website as seen below:

The Trojan completes the process by displaying a messages on the victims computer
informing him of the completion of the security upgrade and that they can proceed to
his online eBanking activities.
Additional information
Once the application is installed on the device, every incoming SMS message is being
scanned by the application (mobile Trojan).
When the user receives an SMS message in the format "random&&time", the
application saves the time parameter and within this time range, delivers all the
incoming SMS messages to the attacker while it is unknown to the victim

In order to stop this message forwarding process, the attacker sends an SMS message
in the format - DELETE" to the user's phone.

25

REPORT
Malware Analysis

The SMS Parser processes:

Last stage of the attack

The JavaScript running on the victim's computer receives the TAN/OTP and completes
the transaction. The TAN is pulled from storage by the computer Trojan which in turn
sends it to the bank to complete the illicit transfer of money out of a bank customers
account and into the attackers mule account. The customers screen does not show
any of this activity and they are completely unaware of the fraudulent action that just
took place.

26

REPORT
Malware Analysis

Details and Detection Ratio

Anti Virus Scanning Results
Only 21 Anti-Viruses out of 46 detected the Cridex cross-device Trojan as a malicious application. The full
scan results are as following:

27

REPORT
Malware Analysis

28

REPORT
Malware Analysis

Required Permissions
Once activated by the user on his smartphone, the attacker have administrator permission on the victims
device. Therefore he is able to control vast amount of functions such as:
1. Send/receive SMS messages using the victims mobile phone number.
2. Have internet access through victims mobile.
3. Control incoming & outgoing direct phone calls.
4. Move between WIFI networks.
5. Change the phone states.
6. Delete/modify SD card contents.
7. Read contact list data.
8. Record any audio of the device.

29

REPORT
Malware Analysis

Attack Takedown
Couple of hours since the first notification received, F5 Security Operation Center commenced shutdown to the
attack. In a very short time frame, all attack resources was blocked.
APK resource after SOC shutdown:

Script resource after SOC shutdown:

30

REPORT
Malware Analysis

Script resource after SOC shutdown:

Trojan C&C after SOC shutdown:

All executable files resources were shut down as well.

31

REPORT
Malware Analysis

Countermeasures
1.

Educate your users not to open or click on unknown/unexpected email links.

2. Implement an antivirus solution for your organization and protect your end users.
Dont forget to keep it up to date and to update it.
3. Patch your end user, make sure their software is updated, including browsers, JAVA,
Flash, PDF readers, and all of the Microsoft software.
4.

Limit your users accounts, not everybody has to be an administrator.

5. Apply strict web content filters on the users browsers.

6. Implement a mail scanning solution.
7.

Implement F5 WebSafe & MobileSafe to detect infected users entering your web page
and mitigate the Trojans.

For more useful tips contact your local F5 Networks account manager.

32

REPORT
Malware Analysis

AppendixF5s solution
Real time identification of
affected users

The WebSafe/MobileSafe contains code to detect duplicated

communications, a sure sign that the user is affected by a Trojan
and that the information provided by it to the bank is also sent to
an unauthorized drop zone.

Identification of malicious
script injection

Once downloaded to the clients browser, the WebSafe/MobileSafe

makes sure there has been no change to the sites HTML. In case
such a change is detectedthe bank is notified immediately.

Protection against
Trojan-generated money
transfers

The combination of recognizing affected users, encrypting

information, and recognizing malicious script is a key element in
disabling Trojans from performing unauthorized actions within the
account. The WebSafe/MobileSafe component detects the automatic
attempts and is able to intercept them.

Malware research

F5 has a dedicated Trojan and malware R&D team that searches

for new threats and new versions of existing ones. The team also
analyzes the programming techniques and methodologies used
to develop the malware in order to keep the F5 line of products
up to date and effective against any threat.

Authors
Adir Tzadok
Security Operation Center Analyst
Itzik Chimino
Security Operation Center Team Leader
Ilan Meller
Security Operation Center Manager

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119

F5 Networks, Inc.
Corporate Headquarters
info@f5.com

F5 Networks
Asia-Pacific
apacinfo@f5.com

888-882-4447

F5 Networks Ltd.
Europe/Middle-East/Africa
emeainfo@f5.com

www.f5.com
F5 Networks
Japan K.K.
f5j-info@f5.com

2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 01/14
RPRT-SEC-17954-malware-analysis

33