VBKlip Banking Trojan Goes Man-In-The-Browser
VBKlip Banking Trojan Goes Man-In-The-Browser VBKlip malware was first introduced by Cert Polska back in 2013. It started out as a simple yet effective threat, targeting Polish on-line banking users. Its first reincarnation intercepted clipboard data. Once a user used the “copy-paste” Windows functionality, the malware changed the data being copied. It looked forIBAN(International Bank Account Number)string format in the copied data and swapped it with its own hard codedIBAN. Recently, my colleaguePavel Asinovsky and I witnessed a significant evolution in the malware, as it followed the footsteps of well-known financial threats such Zeus and Neverquest by resorting to man-in-the-browser techniques. The current version’s infection scheme starts with a downloader which downloads two files: wmc.exe and .windows.sys (which is a dll) to %programdata% as described in Cert Polska's blog. The malware can survive a reboot thanks to the scheduled task it creates in windows task scheduler. This method is quite uncommon as most malware use runkeys in the registry (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) in order to remain persistent. After the malicious .windows.sys dll is loaded into memory, it tries to communicate with several domains. The expected payload being another executable which is responsible for the core functionality. Each component is downloaded separately and has a different task in the whole control flow of the fraud. By dividing the operation into several modules which depend on Command and Control server communication in order to download the next component, the fraudsters make the attack harder to analyze as it is harder to obtain all of the components involved in the fraud. The core module starts by creating a thread whose sole purpose is to check the running process list every 3 seconds. Each process name is compared to a hard coded list of browser names, while the targeted browsers are the three major browsers: Internet Explorer, Firefox and Chrome. Once the malware identifies a process of interest, it writes its malicious code into the process' memory and executes it. The malware uses a mutex of the format __NTDLL_CORE__<processID> for synchronization. This is a significant improvement from its previous version that lacks synchronization and could only handle one running browser process. Now it swaps the IBAN in all running browser processes thanks to the mutex and the injection. It only injects to processes that don't have the mutex, and this mutex is created in every newly injected browser process. The injected code hooks several key functions. It hooks communication related functions in order to intercept the IBAN and swap it before the request leaves the browser. The browser functions are: HttpSendRequestA HttpSendRequestW InternetWriteFile PR_Write IBAN swapping is done in two steps. First, the Host header is compared to a hard-coded bank name. If the match is successful, the hard-coded <CreditAccount> HTML tag is searched throughout the request body and the content is swapped if it matches the IBAN pattern. Otherwise, it will scan the entire request body for the IBAN format and swap it in every instance. The fact that a backup plan is used in case the bank name does not match, shows that this features is probably still being tested in the field. This feature bares great resemblance to Zeus “man-in-the-browser” mechanism where bank names are matched against a configuration, once the request is sent by the victim. Although this approach to committing fraudulent transactions is pretty simplistic in comparison with its well-known counterparts in the wild, it is nonetheless successful, and it is safe to assume that the malware’s evolution has yet to reach its final form. Sample MD5: A86BD976CE683C58937E47E13D3EB448
What does a cyber attack look like?
Cyber security is never far from the headlines these days, and it’s something we at F5 Networks take incredibly seriously. We are of course committed to making sure our customers can always securely access their data and applications from any location and any device; that’s a must in today’s business. That’s the reason we bought Versafe, an acquisition you can read more about here. But while a lot of the recent headlines about cyber security have made for very scary reading, we thought we’d offer some practical advice. We’ve previously written about profiling a cyber attacker so I thought this time we’d take a look at what a cyber attack may look like and how attacks like this can and do take place, with a focus on Versafe’s areas of expertise. Of course, no two cyber attacks are the same but there are some tell tale signs to look out for that could indicate your business is under attack. One of the most common ways of launching a fraud attack is still via phishing; targeted emails that are sent to specific workers, hoping they will either install malware onto the company’s network or reveal information that could help attackers gain access to whatever systems they need. These emails can be difficult to spot. We’ve all received badly written emails that claim to be from Amazon or PayPal or a bank demanding we offer our personal details ‘for security reasons’ but targeted emails can look much more professional. They can masquerade as being legitimate emails from IT departments, HR/payroll or an external supplier, and can even spoof the sender’s name, so the email looks like it’s from someone the target knows and trusts. If the victim falls for the trick and downloads the malware then it’s loose on your system. Some modern pieces of malware are capable of getting around firewalls and antivirus software and it can be hours, days or even weeks before malware is detected. During that time the malware can be sniffing out valuable information from across your systems. Cloud-based, proactive monitoring of malware will help identify if a cyber attack is happening before too much damage is done. Another potential indication that your business is under attack is that applications lose their availability. Workers could have trouble establishing and/or maintaining a connection to the applications they need to do their jobs. This could indicate that the service is under attack from a DDoS, which is slowing down or even stopping access, or that someone has accessed the network and is using your bandwidth to search from critical data before sending it back to the attacker. So far we’ve talked about your users on your network, but what if the users are not from your organisation? What if they’re your partners, or your customers? Normally, you’d expect there to be little threat from these, but these users are susceptible to malware in the same way and as a result we’re seeing an increase in the types of attack that hijack user’s browsers and their connections to your systems. The warning signs for these types of attack are less visible to the naked eye; for example Versafe’s technology is capable of monitoring the integrity of session data between the browser and the application for any suspicious activity. That is something that a user would not be able to pick up on, and therefore relies on a robust and modern security infrastructure. As I mentioned above, no two cyber attacks are the same so spotting the signs that you’re under attack is difficult. However, having an always-on, cloud-based security infrastructure in place to keep an eye out for any suspicious activity will go a long way to helping you detect any potential danger.