Malware Analysis Report January 2014

Cridex Cross-device Malware PROPRIETARY & CONFIDENTIAL The material in this report is strictly confidential and contains proprietary information and ideas of F5 INC. It should not be provided to anyone without written consent from F5 INC

2

REPORT

Malware Analysis

Contents

Introduction .............................................................................................................................................................................. 3

The Threat ................................................................................................................................................................................ 4

Trojans ..................................................................................................................................................................................... 4

Script injections ...................................................................................................................................................................... 4

Summary of the Attack............................................................................................................................................................ 5

Infection Details ...................................................................................................................................................................... 6

Blackhole Origins .................................................................................................................................................................... 6

Analysis of the EXE file ........................................................................................................................................................... 11

Anti-Virus Scanning Results .................................................................................................................................................. 12

Cridex Configurations.............................................................................................................................................................. 14

The Injected Code ................................................................................................................................................................. 18

Infected User Interaction ......................................................................................................................................................... 20

Details and Detection Ratio ................................................................................................................................................... 27

Anti – Virus Scanning Results ............................................................................................................................................... 27

Required Permissions ........................................................................................................................................................... 29

Attack Takedown ................................................................................................................................................................... 30

Counter- measures ................................................................................................................................................................. 32

Appendix—F5’s solution .......................................................................................................................................................... 33

3

REPORT

Malware Analysis

Introduction F5 eliminates online identity theft by preventing phishing, Trojan and pharming attacks in

real time, through the implementation of advanced encryption and identification

mechanisms. F5 offers products and services that complement existing anti-fraud

technologies, improving the clients’ protection against the aforementioned malicious

activity and providing an encompassing defense mechanism. F5 Securi ty products are

customized to the needs of each client individually.

F5 enables financial organizations working online to gain control over areas that were

virtually unreachable and indefensible up till now, and neutralize local threats found on their

clients’ personal computers, without requiring the installation of software on the end user

side. The transparent solution does not alter the user experience in any way, facilitating a

seamless installation on the firm’s web sites.

F5’s one-of-a-kind solution has proven its exceptional effectiveness time and again in a

large number of financial institutions worldwide, helping them prevent harm to their brand

image and avoid significant economic damage.

Furthermore, F5 provides professional services and advanced research capabilities in the

field of cybercrime including malware, Trojan horses, viruses etc.

4

REPORT

Malware Analysis

The Threat

Trojans

Trojans are malware that appears to the user, to perform a desirable function but (perhaps

in addition to the expected function) steals information or harms the system.

Two main techniques used by Trojans in order to steal the users’ credentials or initiate money

transactions on their behalf are:

• Modifying the website’s client side webpage.

• Sniffing the browser’s activity for information which is sent to different banks,

before the packets are encrypted by SSL.

F5’s knowledge is based on extensive research into the several forms of Trojan infections,

experience with cleaning infections and repairing the damage caused by zero-day threats.

Our deep understanding of how the malware works is the key to producing the right

defense mechanisms required to safeguard the information transmitted between the client

and the organization.

Script injections

Recently several eBanking Trojan horses (i.e Zeus, Cridex, Citadel) started using script

injection techniques in order to modify the original web page. The modification may enable

the attacker to perform money transactions using the victimized users’ credentials. This

may be perpetrated by a Trojan horse injecting a malicious JavaScript code to the client’s

browser, once the client is connected to the website. The code that is injected performs

different functions, including attempting a money transfer from the client’s account.

In order to maintain the information sent by the Trojans, the attackers have developed

different types of command and control systems that enable them to grab and manage the

information sent by the Trojan. The systems are usually PHP based systems accompanied

by an SQL database.

5

REPORT

Malware Analysis

Summary of the Attack The attack is made in order to infect users’ devices with a cross-device Cridex eBanking

Trojan. The user is utilizing a few known methods in order to overcome the user’s ability to

detect the attack and to bypass the need of the user to confirm the installation of the Trojan.

The stages of the attack:

1. The user receives an email from the attacker containing a link.

2. The user clicks on the link.

3. The browser is requesting a page from a remote Blackhole exploit kit.

4. The Blackhole exploit kit scans the user’s browser for vulnerabilities and injects

the page with a PDF file.

5. The PDF file running on the user’s browser downloads the Trojan and installs it on

the user’s machine utilizing an Adobe Acrobat Reader vulnerability.

6. Once entering his eBanking account, the user asked to enter his smartphone

number.

7. A link is sent to the user device asking him to install a malicious application.

8. The user’s submitted credentials and personal information are captured by the

Trojan and sent to a remote DropZone and at the same time automatic

monetary transaction initiated by the attacker

6

REPORT

Malware Analysis

Infection Details Blackhole Origins This is the blackhole origin and infectious pages:

URL: hxxp://kaarqo.releasesmanaged.com.au/TARGETED_BANK/

IP: 69.197.18.174

Country of origin: United Sates of America

URL: hxxp://ftegu9.votersparty.net/TARGETED_BANK/

IP: 208.70.150.9

Country of origin: United Sates of America

URL: hxxp://5b0y1y.siens.com.br/TARGETED_BANK/

IP: 186.215.182.21

Country of origin: Brazil

URL: hxxp://tryidon.ru/TARGETED_BANK/

IP: 5.254.96.215

Country of origin: Romania

URL: hxxp://motott.ru/TARGETED_BANK/

IP: 5.254.96.215

Country of origin: Romania

URL: hxxp://vkokoi.ru/TARGETED_BANK/

IP: 5.254.96.215

Country of origin: Romania

URL: hxxp://basanaj.ru/TARGETED_BANK/

IP: 5.254.96.215

Country of origin: Romania

URL: hxxp://byuhera.ru/TARGETED_BANK/

IP: 5.254.96.218

Country of origin: Romania

7

REPORT

Malware Analysis

The Email Sent To the Victim Sample of one, out of many, infection e-mails sent by the attacker to a distribution list gathered online:

The user click on the link and

download a ZIP file

8

REPORT

Malware Analysis

ZIP file name: "Weitere_Informationen_zum_Transaktions_TARGETED_BANK"

The user installs the malicious

executable file

9

REPORT

Malware Analysis

Once the user click on the PDF file, an obfuscated JavaScript is running in the

system. The JavaScript runs a page of the infamous Blackhole exploit kit, which

leads to the installation of the Trojan horse on the user's system thought an

Acrobat reader vulnerability exploit.

Once that PHP is running on the user's browser, his system is scanned for browser

vulnerabilities and the user is injected with a payload –infected PDF file.

Sample from the code:

10

REPORT

Malware Analysis

11

REPORT

Malware Analysis

Analysis of the EXE file

Properties

12

REPORT

Malware Analysis

Anti-Virus Scanning Results

13

REPORT

Malware Analysis

Executing the EXE file will reveal that it is indeed a variant of the Cridex Banking Trojan.

Severity: HIGH

The following malware is a password-stealing Trojan equipped with the following features:

• Known for installing fake SSL certificates to mislead users in SSL transactions.

• Data capturing ability—including banking passwords.

• Opening a new TCP port connection to send the information.

• HTML injections.

• Stealing the victim’s computer information:

• IMAP/POP3/SMTP username, passwords, server information from mail clients.

• Bookmarks.

• E-mail addresses from the Windows Address Book.

14

REPORT

Malware Analysis

Cridex Configurations

The Cridex Trojan is a MITB type of Trojan that is able to detect the website the user is

visiting and inject the dedicated code to the user’s web browser. It also has the ability to

capture the user’s submitted information and forms and deliver it to the attacker’s dropzone.

In order to infect the user, the EXE file is known to be sent via email spam such as UPS fake

orders, postal services, Groupon and many more. Once the user downloads the EXE and

executes it, the Trojan is activated and it installs itself on the victim’s machine.

The Trojan also modifies the victim’s registry; the new values also include the Trojan’s

configuration file. The set value is hexadecimal and can be de-obfuscated.

Sample of the obfuscated configuration file:

15

REPORT

Malware Analysis

Sample of the de-obfuscated configuration file:

As can be seen in the de-obfuscated code above, the Trojan target vast amount of financial institutions worldwide.

16

REPORT

Malware Analysis

The C&C of Trojan can be seen while monitoring the traffic: hxxp://portasible.ru/BUYee/+jHKSCAAAA/xyVpBAAAAA

DNS Query: portasible.ru

The server’s IP: 37.235.48.69

Whois information

The DropZone can detected in the injected code:

17

REPORT

Malware Analysis

DNS Query: tstore.mobi

The server’s IP 37.235.53.202

The information captured by the Trojan is saved on a local log file of the Trojan and delivered

to the attacker's DropZone. The saved logs include the saved webpage (coded by base64),

the captured URLs and all of the submitted information.

18

REPORT

Malware Analysis

The Injected Code As the Trojan is a generic one that attacks vast amount of financial institutions worldwide it includes couple of JavaScripts that only few will be activated depends on the user eBanking account.

Not as seen before with this kind of Trojan variants, the code is injected into internal webpages of the bank and NOT into the login page loaded by the user at the beginning of the session.

Below is a sample of the injected code. Each JavaScript is triggered by the browser depends on the targeted internal URL.

19

REPORT

Malware Analysis

The injected code is communicating with another malicious server located at:

DNS Query: start-ssecurity.com

The server’s IP 62.75.196.133

20

REPORT

Malware Analysis

Infected User Interaction

Once the user ends the login session and entered his eBanking account the Trojan inject the

relevant code according to the relevant financial institution. This specific Trojan is modified to

use IBM recent security company acquisition – Trusteer – to make the users think that the

bank started to use Trusteer security solutions and ask them to download the company

security mobile application .

21

REPORT

Malware Analysis

1) The user sees the bank notification regarding “the new security solution” and asked to

download an application to his mobile device.

2) Clicking on the ‘DOWNLOAD’ button will pop up a new notification asking the user to enter his

phone number and choose his mobile device

22

REPORT

Malware Analysis

3) The user receive an SMS to his smartphone, contains a link to download the

application.

hxxp://mobiletrusteer.mobi/TARGETED_BANK.apk

4) Clicking the SMS link will install the malicious application on the user smartphone, then

the user is asked to activate it by enabling administrator permissions to the mobile

Trojan.

23

REPORT

Malware Analysis

On being launched, the application sends an SMS message to the attacker mobile number:

+447781470730

5) A window is displayed to the user as he is requested to enter his password and

password verification

24

REPORT

Malware Analysis

When the user clicks the submit button, the application compares between the password and

the password verification field without sending any data to the attacker. In case of a match, the

user will see on his smartphone the confirmation code screen.

6) The victim "confirmation code":

25

REPORT

Malware Analysis

Then, the user is asked to enter it in the website as seen below:

The Trojan completes the process by displaying a messages on the victims’ computer

informing him of the completion of the “security” upgrade and that they can proceed to

his online eBanking activities.

Additional information

Once the application is installed on the device, every incoming SMS message is being

scanned by the application (mobile Trojan).

When the user receives an SMS message in the format "random&&time", the

application saves the time parameter and within this time range, delivers all the

incoming SMS messages to the attacker while it is unknown to the victim

In order to stop this message forwarding process, the attacker sends an SMS message

in the format - “DELETE" to the user's phone.

26

REPORT

Malware Analysis

The SMS Parser processes:

Last stage of the attack

The JavaScript running on the victim's computer receives the TAN/OTP and completes

the transaction. The TAN is pulled from storage by the computer Trojan which in turn

sends it to the bank to complete the illicit transfer of money out of a bank customer’s

account and into the attacker’s “mule” account. The customer’s screen does not show

any of this activity and they are completely unaware of the fraudulent action that just

took place.

27

REPORT

Malware Analysis

Details and Detection Ratio

Anti – Virus Scanning Results

Only 21 Anti-Viruses out of 46 detected the Cridex cross-device Trojan as a malicious application. The full scan results are as following:

28

REPORT

Malware Analysis

29

REPORT

Malware Analysis

Required Permissions Once activated by the user on his smartphone, the attacker have administrator permission on the victims’ device. Therefore he is able to control vast amount of functions such as:

1. Send/receive SMS messages using the victims’ mobile phone number.

2. Have internet access through victims’ mobile.

3. Control incoming & outgoing direct phone calls.

4. Move between WIFI networks.

5. Change the phone states.

6. Delete/modify SD card contents.

7. Read contact list data.

8. Record any audio of the device.

30

REPORT

Malware Analysis

Attack Takedown Couple of hours since the first notification received, F5 Security Operation Center commenced shutdown to the attack. In a very short time frame, all attack resources was blocked. APK resource after SOC shutdown: Script resource after SOC shutdown:

31

REPORT

Malware Analysis

Script resource after SOC shutdown: Trojan C&C after SOC shutdown:

All executable files resources were shut down as well.

32

REPORT

Malware Analysis

Counter measures 1. Educate your users not to open or click on unknown/unexpected email links.

2. Implement an antivirus solution for your organization and protect your end users.

Don’t forget to keep it up to date and to update it.

3. Patch your end user, make sure their software is updated, including browsers, JAVA,

Flash, PDF readers, and all of the Microsoft software.

4. Limit your users’ accounts, not everybody has to be an administrator.

5. Apply strict web content filters on the users’ browsers.

6. Implement a mail scanning solution.

7. Implement F5 WebSafe & MobileSafe to detect infected users entering your web page

and mitigate the Trojans.

For more useful tips contact your local F5 Networks account manager.

33

REPORT

Malware Analysis

Appendix—F5’s solution

Real time identification of

affected users

The WebSafe/MobileSafe contains code to detect duplicated

communications, a sure sign that the user is affected by a Trojan

and that the information provided by it to the bank is also sent to

an unauthorized drop zone.

Identification of malicious

script injection

Once downloaded to the client’s browser, the WebSafe/MobileSafe

makes sure there has been no change to the site’s HTML. In case

such a change is detected—the bank is notified immediately.

Protection against

Trojan-generated money

transfers

The combination of recognizing affected users, encrypting

information, and recognizing malicious script is a key element in

disabling Trojans from performing unauthorized actions within the

account. The WebSafe/MobileSafe component detects the automatic

attempts and is able to intercept them.

Malware research F5 has a dedicated Trojan and malware R&D team that searches

for new threats and new versions of existing ones. The team also

analyzes the programming techniques and methodologies used

to develop the malware in order to keep the F5 line of products

up to date and effective against any threat.

Authors Adir Tzadok

Security Operation Center Analyst Itzik Chimino

Security Operation Center Team Leader Ilan Meller

Security Operation Center Manager

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com

F5 Networks, Inc.

Corporate Headquarters

info@f5.com

F5 Networks

Asia-Pacific

apacinfo@f5.com

F5 Networks Ltd.

Europe/Middle-East/Africa

emeainfo@f5.com

F5 Networks

Japan K.K.

f5j-info@f5.com

©2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com.

Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 01/14

RPRT-SEC-17954-malware-analysis