Is Slempo/GM-Bot the new standard for mobile malware?
Introduction Slempo/GM-Bot requires little introduction, as it has been the focal point of many recent publications, and is a well known threat in the world of mobile malware. In most cases Slempo/GM-bot presents itself as “Adobe Flash Player Update”, this disguise is very popular in the mobile malware sphere, and used in order to trick the user into granting the malicious application administrator privileges. Upon the user’s acceptance the malware is installed on the device and is capable of controlling it. Among the malware’s many functionalities are: Intercept, redirect and block SMS messages and calls Lock and unlock the device Wipe the device Display it’s own content over legitimate applications Send stolen user credentials (obtained by displaying fake content) back to the Command & Control server. After completing initial installation, the malware will contact its Command & Control server, send it a list of all applications installed on the device and various other device information, and will download a configuration file which it will save locally on the device at the following path: /data/data/%App_Name%/shared_prefs/AppPrefs.xml This configuration file contains the applications that the malware targets for credential harvesting, and the fraudulent content that performs that harvesting. Fig. 1 – Device data and installed applications sent to C&C server. Encoded Configuration & Fraudulent Activity The encoded configuration file which is downloaded from the Command & Control server contains the targeted application names and content to be displayed to the victim upon activation of a targeted application, as can be seen below: Fig. 2 – A snippet of the encoded configuration file Fig. 3 – Decoded configuration snippet showing fraudulent HTML content to be displayed on top of the targeted application and harvest user’s credentials. When the malware detects activation of a targeted application, the fraudulent content contained in the configuration file is displayed to the victim on-top of the targeted application: Fig. 4 – Fraudulent content displayed on top of legitimate application. After entering his credentials into what the victim perceives to be the legitimate application, the malware then sends the credentials to its C&C server, as seen below: Fig. 5: Victim’s credentials are sent to the C&C server. Targets Slempo targets many various financial and non-financial applications worldwide, as can be seen in the chart below: Fig. 5: Slempo Target Distribution. NOTE: Applications which are not region or country specific are categorized as “Other”. Known Slempo/GM-bot Sample MD5s: 288ad03cc9788c0855d446e34c7284ea e740233e0a72be4db2dcd5d5b7975fa0 3ef8e4ea08e9eff6db3c9ebf247a97b5 45e66a89db86309673d33b1aa4047fd1 a5387f3487c0749394def743a7345c47 f90cded5ec2a6c29b636945af85e3069 Mitigation To learn more about F5 fraud protection and how F5 can mitigate threats such as Slempo, please read the MobileSafe datasheet as well as the WebSafe datasheet.
Tinbapore: Millions of Dollars at Risk
Detected by F5 WebSafe security solutions during November 2015, Tinbapore attack has put millions of US dollars at risk. F5 Security experts investigation revealed that Tinbapore is actually a new variant of the good old Tinba Malware that so far was targeting financial institutions in the Europe, Middle East, and Africa (EMEA) region and the Americas. The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration). The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll, and user32.dll. Its main functionality is hooking all the browsers on the infected machine so it can intercept HTTP requests and perform web injections. Newer and improved versions of the malware employ a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down. This new variant of Tinba, Tinbapore, now creates its own instance of explorer.exe that runs in the background. It differs from most previous versions in that it actively targets financial entities in the Asian Pacific (APAC), which was previously uncharted territory for Tinba. To download your copy of the Tinbapore variant analysis report, click here.A New Twist on DNS NXDOMAIN DDoS
DDoS attacks are increasing in scale and complexity, threatening to overwhelm the internal resources of businesses around the world. The F5 Silverline Security Operations Center (SOC) recently saw a new distributed denial-of-service (DDoS) attack vector targeting a customer’s DNS servers with malicious traffic averaging between 8 and 12 Mbps and bursts of malicious traffic peaking at over 100 Mbps. This attack began in mid-August and continued through November 2015. It was not a typical reflection attack where DNS servers are used to attack a web site, but an attack against the actual DNS servers. Through additional investigation, the SOC analysts identified the vector and crafted a targeted mitigation for this new “_dmarc” attack. In their investigation, Edgar Ojeda and his colleagues found that F5 Silverline customer's DNS servers were receiving hundreds of thousands of randomized queries for “_dmarc” DNS records even if from a volumetric standpoint this amount of traffic seems to be trivial. Then, they noticed that _dmarc DNS queries were for non-existent subdomains and that customer’s DNS infrastructure was becoming unstable. As the attack continued and after further investigation, F5 SOC created a finely tuned signature that successfully scrubbed all malicious traffic and the customer’s service became operational again. To read the full report describing the attack, click here. If you are under attack, just click this link and we can get you back online! Click here to learn more about howF5 Silverline mitigate DDoS attack.Yasuo-Bot–the flexible mobile banker targeting Russia and East-Europe
Mobile financial malware needs little introduction, since 2010 mobile malware is on the rise. The first mobile Trojan launched was ‘Zitmo’ (Zeus-In-The-Mobile. A Mobile version of the most common PC Trojan – ZeuS) which was then followed by many different variants of mobile Trojans with a financial focus such as mToken, Perkele, iBanking, and more. Nowadays, the majority of mobile Trojans mostly target Android devices using different techniques to gain administration permissions on the victims’ device, steal users TANs (Transaction Authorization Number), intercepting SMS messages containing OTPs, performing credential grabbing, presenting fraudulent content, performing automatic money transfers and more. The main technique employed by Mobile Banking Trojans, which infect mobile phones and steal passwords and other data when the victim logs onto their online bank account, is by posting its own their own fraudulent content over the actual legitimate application being presented to the user – known as an “Overlay”, which is usually hard-coded into the malicious package. Yasuo-Bot takes this technique one step further, and dynamically displays fraudulent content “on the fly” by receiving it directly from its Command and Control based on its configuration. This departure from earlier mobile malware design adds a dimension of flexibility to the malware and its operator, allowing for much greater tailoring and customization ability of the fraudulent content; and a far greater number of targets that the malware can potentially attack without greatly increasing package size. The malware will present itself as one of several legitimate application such as “Google Play” in an attempt to fool the user into granting it administrator privileges: Upon the victims’ agreement, the malware will gain a vast array of all-encompassing system permissions. Including, but not limited to: Full internet access Read, write and send SMS messages Change device settings (including device password) Lock and unlock the device Make phone calls Display own content over other applications Access to contacts list, call history, browser history and bookmarks, and device location Once the malware has gained system administrator permissions it will send the Command and Control server a request for a configuration file, along with some general information about the victim. Including: Android OS version Device IMEI Phone number Country information Bot Version The returned configuration file contains the list of applications targeted for overlay, and is saved locally on the victims device. When the malware detects a targeted application is activated, it will request application-specific fraudulent content from the Command and Control and display it to the user instead of the legitimate application the user activated: Fraudulent content is displayed to the user “on-top” of the legitimate application: Once typed in by the victim, the entered credentials are sent back to the Command and Control server, along with the “application” they were harvested from: But Yasuo’s bag of tricks doesn’t end there! One variant encountered goes so far as to target several default Android applications which are present on virtually all android devices, alongside its set of targeted banking applications, in an attempt to get to the users credentials: Chrome browser Facebook application Android default settings application Android default phone application Android default SMS application When this variant detects a targeted (non-banking) application is activated it will display a prompt to the user, once the user clicks through, it will display a second prompt where the user is asked to “choose his bank”. When the users chooses, he will then be redirected to a Phishing page identical in content and layout to the overlay pages the malware will display upon the activation of a targeted banking application. To summarize, this new and actively evolving malware brings much greater flexibility and customization ability to its authors and operators, with the ability to target a virtually endless number of legitimate applications and the ability to dish out tailor-made fraudulent content for each application without greatly increasing the size of the malware package. F5 SOC will continue to investigate and monitor this new and emerging threat, and report on any new variants or new functionality encountered. To download the full Mobile Malware Analysis Report please click here. Known Yasuo-Bot samples (MD5): ab9032ed5625667068a96119ddca8288, 8be9f7867e9e32e996629b5a6c11b16c, 39526ecbe6c6186a3d0b290afa2f3764, e68826f3e2d5f5b1e3e31ab5b04331cbF5 SOC webinject Analysis
Recently several e-banking Trojans (Dyre, Cridex, and Tinba, for instance) have used script injection techniques to modify the original web page. The modification may enable the attacker to perform money transactions using victims’ credentials. This may be perpetrated by a Trojan injecting a malicious JavaScript code to the client’s browser, once the client is connected to the website. The injected code performs different functions, including attempting a money transfer from the client’s account, gaining control on mobile devices, and much more. To maintain the information sent by the Trojans, attackers have developed different types of command and control (C&C) systems that enable them to grab and manage the injected code and its functions these systems are usually PHP-based systems accompanied by a SQL database. In his research, Elman Reyes, F5 SOC Analyst in the Anti-Fraud team reveal another webinject that was detected by WebSafe and blocked by F5 SOC within just couple of hours. Please click here to download the full analysis report.Domain name holders hit with personalized, malware-laden suspension notices
This according to Zeljka Zorz, HNS Managing Editor from Help Net Security. In his article, Zeljka mention that new email spam campaign has been spotted targeting domain name holders, trying to trick them into downloading malware on their systems. The email is likely to fool some recipients, as it contains the valid domain registration and the recipient's full name, which the attackers must have harvested online, via the “whois” query. The sender's email address is also spoofed to make it look like the sender is the domain registrar. Those who get fooled and download and execute the file linked in the email will get saddled with malware - most likely a Trojan downloader, which will then proceed to download additional malware. Below is the spam e-mail that was sent: Subject: [Domain name] Suspension Notice Dear Sir/Madam, The following domain names have been suspended for violation of the Melbourne IT Ltd Abuse Policy: Domain Name: [domain name] Registrar: Melbourne IT Ltd Registrant Name: [Registrant name matching whois] Multiple warnings were sent by Melbourne IT Ltd Spam and Abuse Department to give you an opportunity to address the complaints we have received. We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone. We had no choice but to suspend your domain name when you did not respond to our attempts to contact you. Click here [LINK] and download a copy of complaints we have received. Please contact us by email at mailto:abuse@melbourneit.com.au for additional information regarding this notification. Sincerely, Melbourne IT Ltd Spam and Abuse Department Abuse Department Hotline: 480-124-0101 According to the article, the most targeted registrars are Melbourne IT and Dynadot that already notified their clients of this campaign. In their official notification Dynadot states that “We have recently become aware of fake abuse notifications being sent out to our customers. The abuse messages look like they are being sent from our abuse@dynadot.com email; however, these messages are NOT being sent from us and should be disregarded. If you receive one of these emails or an email that you think may not be from us, do not click on any links, reply directly to the email, or call the number listed in the email". To read Melbourne IT public announcement click here. F5 SOC is familiar with this spam campaign as well with many others that come and go almost every day. This attack vector is very common in the hacktivists communities that using Social Engineering to lure victims into opening links and/or attachments in e-mail messages in order to broader their botnet pools and inititate DDoS attacks, money transfer, identity theft and more. On a day to day basis, F5 mitigates online identity theft by preventing phishing, malware, and pharming attacks in real time with advanced encryption and identification mechanisms enabling financial organizations working online to gain control over areas that were once virtually unreachable and indefensible, and to neutralize local threats found on customers’ personal computers, without requiring the installation of software on the end user side. If you would like to learn more about F5 fraud protection, read the WebSafe datasheet as well as the MobileSafe datasheet. To learn more about F5 Security Operation Centers, read the F5 SOC datasheet. Click here to read the original article by Help Net Security.Slave Malware Analysis
During the last couple of weeks, Nathan Jester, Elman Reyes, Julia Karpin and Pavel Asinovsky got together to investigate the new “Slave” banking Trojan. According to their research, the early version of the Slave performed IBAN swapping in two steps with great resemblance to the Zeus “man-in-the-browser” mechanism. First, the host header is compared to a hard-coded bank name. If the match is successful, the hard-coded HTML tag is searched throughout the request body and the content is swapped if it matches the IBAN pattern. Then, After the browser infection which takes place in the exact manner as the later version, the malware places hooks on the outbound traffic functions. The latest version of the Slave is, of course, much more sophisticated than the first one and include creation of registry keys with random names, IE, Firefox and Chrome infections, kernel32.dll hooks and more. However, one of the most interesting capabilities of the Slave is the timestamp check. As can be seen in the screenshot below, the malware is conditioned to run before April 2015 and not after that so the sample is basically "valid" for two weeks only, probably to avoid research and detection. Click here to download the full technical Malware Analysis Report. Or here for the Executive Summay Report. To learn more about F5 Security Operation Centers, visit our webpage. -- Editors Note: F5 and DevCentral do not condone the usage of the term ‘slave’ in the context of our technology. In this case the term ‘slave’ is a name, used to specify a particular piece of malware. We believe removing or changing the term, here, would only cause confusion and remove information necessary for effective application security.Slave – IBAN swap, persistency and Zeus-style webinject
Slave is a financial malware written in visual basic. It was first seen around March 2015 and has undergone a significant evolution. Slave conducts its attack by hooking the Internet browser functions and manipulating their code for various fraudulent activities. This manipulation can be used for fraudulent activities such as credentials theft, identity theft, IBAN swapping and fraudulent fund transfers. Two weeks before the discovery of ‘Slave’, the F5 research team analyzed an unknown malware variant that was used for swapping IBAN numbers – a technique used by fraudsters to swap the destination account number before a funds transfer takes place. Static analysis has shown a strong relationship between the two malware samples, implying that ‘Slave’ started out with a simple IBAN swap capability and later advanced to more advanced capabilities such as persistency and Zeus-style webinjects. If you want to deep-dive into the ‘Slave’ internals click here to read the full technical Malware Analysis Report by F5 SOC. --- Editors Note : F5 and DevCentral do not condone the usage of the term ‘slave’ in the context of our technology. In this case the term ‘slave’ is a name, used to specify a particular piece of malware. We believe removing or changing the term, here, would only cause confusion and remove information necessary for effective application security.
Dyre presents server-side web injects
Dyre is a relatively new banking Trojan, first seen in the beginning of 2014. It soon emerged as one of the most sophisticated banking and commercial malware in the wild. One of the main capabilities Dyre has presented, which differentiated it from the other well-known banking Trojans, was the “fake bank page” functionality. Once the victim tries to reach the real bank, Dyre intercepts the request and fetches its own fake page from one of its C&C servers. However, while researching the Trojans’ internals we noticed another stage in the fraud techniques evolution. “Traditional” fraud malware performs malicious JavaScript injection on the client machine while taking it from a configuration previously downloaded from the C&C server. However, Dyre maintains the injections on its C&C servers. This gives Dyre the flexibility to adjust the injected code on demand and minimize exposure of the existing web-injects. During our research we noticed two types of injections which lead to two different scenarios. In the first scenario, the web-injects (malicious JavaScript) stole just the login credentials, while in the second scenario it would also contain an embedded HTML page which targets credit card information as well. Other than just targeting financial online applications, using the “Grabber” module, Dyre enables its operators to steal virtually any user-supplied sensitive information online in large amounts. This information includes credentials for email applications, social platforms, hosting infrastructure, and corporate SSL-VPNs. While this information may be resold in the “underground”, the bigger risk is that malware operators might hijack email and social network accounts to perform surveillance, or blackmail individuals or organizations. They could also hijack hosting infrastructure to further deploy other malicious code, or break into organizations using stolen VPN credentials. Many have written about this new threat. However, few have succeeded in covering the entire fraud flow and most of its capabilities. For more details on the Trojan’s internals, read the report: https://devcentral.f5.com/s/d/dyre-malware-internals?download=trueDyre Malware Analysis
Dyre, also known as Dyreza, is a banking Trojan that was first seen around June 2014. With the combination of its ability to steal login credentials by browser hooking and bypassing SSL, its man-in-the-middle (MITM) proxy server, and its Remote Access Trojan (RAT) capabilities, Dyre has become one of the most dangerous banking Trojans. The Dyre Trojan is designed to steal login credentials by grabbing the whole HTTPS POST packet, which contains the login credentials sent to a server during the authentication process, and forwarding it to its own server. The malware downloads a configuration file containing a list of targeted bank URLs. Each URL is configured to be redirected to Dyre’s MITM proxy server, on a different port for each bank. This allows the attacker to make a MITM attack by forwarding any user request to the bank and returning bogus data, including fake login pages, popup windows, and JavaScript/HTML injections. After all the information has been acquired by the attacker, he can remotely access the victim’s computer using a built-in VNC (Virtual Network Computing) module and perform transactions, data exfiltration, and more. How it works malware downloads a configuration file containing a list of targeted bank URLs. Each URL is configured to be redirected to Dyre’s MITM proxy server, on a different port for each bank. This allows the attacker to make a MITM attack by forwarding any user request to the bank and returning bogus data, including fake login pages, popup Malware behavior on a Win7-32bit system Surprisingly, the malware behaves differently on Win7-32bit, most likely due to security implementation differences. The method of registering itself as a system service is implemented on WinXP and 64bit systems (tested on Win7-64bit). On Win7-32bit, Dyre operates more similarly to the known Zeus malware by injecting code in the Explorer.exe process and operating from there. Man-In-The-Middle (MITM) Attack When a user enters his bank’s URL in the browser line, the Trojan is triggered and forwards the URL to the corresponding proxy server as stated in its configuration file. · The MITM proxy server forwards requests to the banks and disguises itself as the real user. · The returning response from the bank is intercepted by the proxy server. · Instead of the real response, the user receives a fake login page which is stored on the proxy server, and contains scripts and resources from the real bank’s page. The scripts and resources are stored in folders named after the unique port configured for each bank. · The information entered by the user is sent to the proxy server and then forwarded to the real bank server, allowing the attacker to log in instead of the user and perform operations on his behalf. The fake login page The fake page contains a script called main_new - , which is responsible for handling the objects presented to the user on the fake page and performing the MITM attack. The fake page contains an array of configuration parameters in the header. Some of the more interesting ones are: · ID. The unique identification of the bank, which is the same as the port number in the configuration file. · Incorrect login error. On each login attempt to the bank, the proxy server will forward the request to the real bank’s server and perform the authentication. If the authentication fails, it will also present an error to the user on the fake page. · Block message. If the MITM attack succeeds, the attacker is able to perform a transaction and block the user from accessing his account. This parameter stores the presented message. The F5 Solution Real-time identification of affected users - F5 WebSafe and MobileSafe are able to detect the user is affected by a Trojan and that the information provided by it to the customer is also sent to an unauthorized drop zone. Identification of malicious script injection – once downloaded to the client’s browser, WebSafe and MobileSafe make sure there has been no change to the site’s HTML. If such a change is detected, the customer is notified immediately. Protection against Trojan-generated money transfers - the combination of recognizing affected users, encrypting information, and recognizing malicious scripts is key to disabling Trojans from performing unauthorized actions within the account. WebSafe and MobileSafe detect the automatic attempts and intercept them. Malware research - F5 has a dedicated Trojan and malware R&D team that searches for new threats and new versions of existing ones. The team analyzes the programming techniques and methodologies used to develop the malware in order to keep the F5 line of products up to date and effective against any threat. To get the full technical detailed Malware analysis report click here. To download the executive summary, click here.
