Professional Documents
Culture Documents
January 2014
REPORT
Malware Analysis
Contents
Introduction .............................................................................................................................................................................. 3
The Threat ................................................................................................................................................................................ 4
Trojans ..................................................................................................................................................................................... 4
Script injections ...................................................................................................................................................................... 4
Summary of the Attack............................................................................................................................................................ 5
Infection Details ...................................................................................................................................................................... 6
Blackhole Origins .................................................................................................................................................................... 6
Analysis of the EXE file ........................................................................................................................................................... 11
Anti-Virus Scanning Results .................................................................................................................................................. 12
Cridex Configurations.............................................................................................................................................................. 14
The Injected Code ................................................................................................................................................................. 18
Infected User Interaction ......................................................................................................................................................... 20
Details and Detection Ratio ................................................................................................................................................... 27
Anti Virus Scanning Results ............................................................................................................................................... 27
Required Permissions ........................................................................................................................................................... 29
Attack Takedown ................................................................................................................................................................... 30
Counter-measures................................................................................................................................................................. 32
AppendixF5s solution .......................................................................................................................................................... 33
REPORT
Malware Analysis
Introduction
F5 eliminates online identity theft by preventing phishing, Trojan and pharming attacks in
real time, through the implementation of advanced encryption and identification
mechanisms. F5 offers products and services that complement existing anti-fraud
technologies, improving the clients protection against the aforementioned malicious
activity and providing an encompassing defense mechanism. F5 Se c urit y products are
customized to the needs of each client individually.
F5 enables financial organizations working online to gain control over areas that were
virtually unreachable and indefensible up till now, and neutralize local threats found on their
clients personal computers, without requiring the installation of software on the end user
side. The transparent solution does not alter the user experience in any way, facilitating a
seamless installation on the firms web sites.
F5s one-of-a-kind solution has proven its exceptional effectiveness time and again in a
large number of financial institutions worldwide, helping them prevent harm to their brand
image and avoid significant economic damage.
Furthermore, F5 provides professional services and advanced research capabilities in the
field of cybercrime including malware, Trojan horses, viruses etc.
REPORT
Malware Analysis
The Threat
Trojans
Trojans are malware that appears to the user, to perform a desirable function but (perhaps
in addition to the expected function) steals information or harms the system.
Two main techniques used by Trojans in order to steal the users credentials or initiate money
transactions on their behalf are:
Sniffing the browsers activity for information which is sent to different banks,
before the packets are encrypted by SSL.
F5s knowledge is based on extensive research into the several forms of Trojan infections,
experience with cleaning infections and repairing the damage caused by zero-day threats.
Our deep understanding of how the malware works is the key to producing the right
defense mechanisms required to safeguard the information transmitted between the client
and the organization.
Script injections
Recently several eBanking Trojan horses (i.e Zeus, Cridex, Citadel) started using script
injection techniques in order to modify the original web page. The modification may enable
the attacker to perform money transactions using the victimized users credentials. This
may be perpetrated by a Trojan horse injecting a malicious JavaScript code to the clients
browser, once the client is connected to the website. The code that is injected performs
different functions, including attempting a money transfer from the clients account.
In order to maintain the information sent by the Trojans, the attackers have developed
different types of command and control systems that enable them to grab and manage the
information sent by the Trojan. The systems are usually PHP based systems accompanied
by an SQL database.
REPORT
Malware Analysis
Once entering his eBanking account, the user asked to enter his smartphone
number.
7. A link is sent to the user device asking him to install a malicious application.
8. The users submitted credentials and personal information are captured by the
Trojan and sent to a remote DropZone and at the same time automatic
monetary transaction initiated by the attacker
REPORT
Malware Analysis
Infection Details
Blackhole Origins
This is the blackhole origin and infectious pages:
URL: hxxp://kaarqo.releasesmanaged.com.au/TARGETED_BANK/
IP: 69.197.18.174
Country of origin: United Sates of America
URL: hxxp://ftegu9.votersparty.net/TARGETED_BANK/
IP: 208.70.150.9
Country of origin: United Sates of America
URL: hxxp://5b0y1y.siens.com.br/TARGETED_BANK/
IP: 186.215.182.21
Country of origin: Brazil
URL: hxxp://tryidon.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://motott.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://vkokoi.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://basanaj.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://byuhera.ru/TARGETED_BANK/
IP: 5.254.96.218
Country of origin: Romania
REPORT
Malware Analysis
REPORT
Malware Analysis
REPORT
Malware Analysis
Once the user click on the PDF file, an obfuscated JavaScript is running in the
system. The JavaScript runs a page of the infamous Blackhole exploit kit, which
leads to the installation of the Trojan horse on the user's system thought an
Acrobat reader vulnerability exploit.
Once that PHP is running on the user's browser, his system is scanned for browser
vulnerabilities and the user is injected with a payload infected PDF file.
Sample from the code:
REPORT
Malware Analysis
10
REPORT
Malware Analysis
11
REPORT
Malware Analysis
12
REPORT
Malware Analysis
Executing the EXE file will reveal that it is indeed a variant of the Cridex Banking Trojan.
HIGH
Severity:
The following malware is a password-stealing Trojan equipped with the following features:
Known for installing fake SSL certificates to mislead users in SSL transactions.
HTML injections.
Bookmarks.
13
REPORT
Malware Analysis
Cridex Configurations
The Cridex Trojan is a MITB type of Trojan that is able to detect the website the user is
visiting and inject the dedicated code to the users web browser. It also has the ability to
capture the users submitted information and forms and deliver it to the attackers dropzone.
In order to infect the user, the EXE file is known to be sent via email spam such as UPS fake
orders, postal services, Groupon and many more. Once the user downloads the EXE and
executes it, the Trojan is activated and it installs itself on the victims machine.
The Trojan also modifies the victims registry; the new values also include the Trojans
configuration file. The set value is hexadecimal and can be de-obfuscated.
Sample of the obfuscated configuration file:
14
REPORT
Malware Analysis
As can be seen in the de-obfuscated code above, the Trojan target vast amount of
financial institutions worldwide.
15
REPORT
Malware Analysis
Whois information
16
REPORT
Malware Analysis
The information captured by the Trojan is saved on a local log file of the Trojan and delivered
to the attacker's DropZone. The saved logs include the saved webpage (coded by base64),
the captured URLs and all of the submitted information.
17
REPORT
Malware Analysis
18
REPORT
Malware Analysis
The injected code is communicating with another malicious server located at:
DNS Query:
start-ssecurity.com
19
REPORT
Malware Analysis
Once the user ends the login session and entered his eBanking account the Trojan inject the
relevant code according to the relevant financial institution. This specific Trojan is modified to
use IBM recent security company acquisition Trusteer to make the users think that the
bank started to use Trusteer security solutions and ask them to download the company
security mobile application .
20
REPORT
Malware Analysis
1)
The user sees the bank notification regarding the new security solution and asked to
download an application to his mobile device.
2)
Clicking on the DOWNLOAD button will pop up a new notification asking the user to enter his
phone number and choose his mobile device
21
REPORT
Malware Analysis
3)
The user receive an SMS to his smartphone, contains a link to download the
application.
hxxp://mobiletrusteer.mobi/TARGETED_BANK.apk
4)
Clicking the SMS link will install the malicious application on the user smartphone, then
the user is asked to activate it by enabling administrator permissions to the mobile
Trojan.
22
REPORT
Malware Analysis
On being launched, the application sends an SMS message to the attacker mobile number:
+447781470730
5)
23
REPORT
Malware Analysis
When the user clicks the submit button, the application compares between the password and
the password verification field without sending any data to the attacker. In case of a match, the
user will see on his smartphone the confirmation code screen.
6)
24
REPORT
Malware Analysis
The Trojan completes the process by displaying a messages on the victims computer
informing him of the completion of the security upgrade and that they can proceed to
his online eBanking activities.
Additional information
Once the application is installed on the device, every incoming SMS message is being
scanned by the application (mobile Trojan).
When the user receives an SMS message in the format "random&&time", the
application saves the time parameter and within this time range, delivers all the
incoming SMS messages to the attacker while it is unknown to the victim
In order to stop this message forwarding process, the attacker sends an SMS message
in the format - DELETE" to the user's phone.
25
REPORT
Malware Analysis
26
REPORT
Malware Analysis
27
REPORT
Malware Analysis
28
REPORT
Malware Analysis
Required Permissions
Once activated by the user on his smartphone, the attacker have administrator permission on the victims
device. Therefore he is able to control vast amount of functions such as:
1. Send/receive SMS messages using the victims mobile phone number.
2. Have internet access through victims mobile.
3. Control incoming & outgoing direct phone calls.
4. Move between WIFI networks.
5. Change the phone states.
6. Delete/modify SD card contents.
7. Read contact list data.
8. Record any audio of the device.
29
REPORT
Malware Analysis
Attack Takedown
Couple of hours since the first notification received, F5 Security Operation Center commenced shutdown to the
attack. In a very short time frame, all attack resources was blocked.
APK resource after SOC shutdown:
30
REPORT
Malware Analysis
31
REPORT
Malware Analysis
Countermeasures
1.
2. Implement an antivirus solution for your organization and protect your end users.
Dont forget to keep it up to date and to update it.
3. Patch your end user, make sure their software is updated, including browsers, JAVA,
Flash, PDF readers, and all of the Microsoft software.
4.
Implement F5 WebSafe & MobileSafe to detect infected users entering your web page
and mitigate the Trojans.
For more useful tips contact your local F5 Networks account manager.
32
REPORT
Malware Analysis
AppendixF5s solution
Real time identification of
affected users
Identification of malicious
script injection
Protection against
Trojan-generated money
transfers
Malware research
Authors
Adir Tzadok
Security Operation Center Analyst
Itzik Chimino
Security Operation Center Team Leader
Ilan Meller
Security Operation Center Manager
F5 Networks
Asia-Pacific
apacinfo@f5.com
888-882-4447
F5 Networks Ltd.
Europe/Middle-East/Africa
emeainfo@f5.com
www.f5.com
F5 Networks
Japan K.K.
f5j-info@f5.com
2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 01/14
RPRT-SEC-17954-malware-analysis
33