Malware Analysis Report: Cridex Cross-device Online Banking Trojan
Co-Authored with Itzik Chimino.
---
The F5 Security Operation Center
In 2013, F5 Networks acquired the security company Versafe, the developer of an online banking anti-fraud solution that fit neatly into F5’s security story. An additional asset gained from the acquisition was the Versafe security operations center (SOC). The SOC works with customers and end-users to analyze malicious software, from which it publishes periodic threat intelligence based on those analyses.
The SOC report for January 2014 provides an analysis of a variant of the Cridex cross-device malware, which has been observed attacking online banking customers in 2013.
This malware variant exhibits several alarming attributes, including:
- Ability to attack dozens of retail bank sites
- Transmission via spear phishing
- Malicious script injection
- Ability to bypass two-factor authentication (2FA) via a mobile malware component
- Bogus use of vendor’s endpoint security software as the lure for the malware
The significance of these attributes signals a new baseline of malware sophistication.
Analysis Highlights
The January report shows each of the variant’s attack characteristics by examining the flow of the attack, starting with spear-phishing and culminating with an automated financial transaction that steals the victim’s money.
Spear Phishing
The attack begins with a broad message campaign. Because this variant can attack so many different retail banking sites, the campaign does not need to be targeted at a particular set of banking customers. The messages can be SMS texts, emails or Facebook messages. The report includes a sample of an email that appears to originate from Facebook, tricking the user into clicking a link.
Malicious Script Injections
The user believes that clicking the link will show social notifications, but in reality, he is directed to a website that probes his browser for vulnerabilities through which the website can install the Cridex desktop malware variant. After infection, when the user connects to his banking website, the variant malware selects the malicious code designed specifically for that bank and injects it into the user’s browser. Ultimately, the injected script will attempt a money transfer.
The variant of the Cridex malware analyzed in the report also records the end user’s banking credentials (the username and password) and sends him to an offsite “drop zone.”
Bypassing Two-Factor authentication
Malware that steals banking credentials has been a known problem for years. One of the most effective countermeasures that the banking industry has put in place is two-factor authentication (2FA). This means that the user must authenticate not only via password but with an additional, non-guessable piece of information. Most online banking institutions use SMS (texting) for this – they will transmit a six character code via text to the user’s mobile device. The user then inputs that code as the second element of their authentication information.
According to the January SOC report, the variant of Cridex can bypass this SMS-based 2FA countermeasure.
Mobile Malware masquerading as endpoint security
The bypass works by installing additional malware onto the user’s mobile device. In one example cited by the report, the malware variant in the user’s browser fakes an alert that the bank is now asking all users to install an endpoint security software solution on mobile devices to prevent fraud. The unsuspecting end user, wanting to do the right thing, installs the mobile malware which impersonates security software.
After the mobile malware is installed, it monitors incoming texts for the 2FA code sent by the bank. It intercepts these and sends them to the dropzone, where they are retrieved by the malware running in the user’s browser to complete an automated transaction.
Conclusion and Publication
Malware sophisticated enough to have a specific attack scripts for dozens of different online banks poses a significant threat to the global retail banking industry. The fact that it is already capable of bypassing two-factor authentication via SMS makes it an even more urgent issue to address.
The January 2014 SOC malware analysis report contains the full breakdown of this variant of the Cridex malware and provides guidance on how it, and other variants, can be impeded.
The January 2014 Security Operation Center report can be downloaded here.