Uncategorized

A few days ago we commented in this blog the discovery of the Slave Trojan. A new malware differentiated by their webinjects in JSON format. In this post we will dissect the automatic transfer system (ATS) that works together with Slave , which is configured to target certain banks.
 The ATS injected by Slave is simple in its operation but very effective at the same time; in our research we were able to analyze the script code executed in the browser of the victim. This is designed in a modular way allowing adaptation to different “sites” of online banking in a quick and easily way. At the time of analysis, the ATS concerned three banks with different injects for each type of access (companies or individuals). New entities were also found, although they had not a presence at the Slave config, seemed to be ready for activation in the near future.

To identify the online banking page where the user is located, the script makes use of different techniques such as inspecting the current URL or search for specific items in the website´s DOM.
According to the website where the user is located, the scritp is able to perform different actions. The websites that have a code larger than 100 it corresponds to the longin forms, which depending on the bank may be 1 or 2 different matches. In these pages the script collects the user credentials and stores them in the sessionStorage browser. If the entity ask for more digits than for some digits of a second password, the script is able to recognize the requested digits and send the mask of that pass. However, for its operation the ATS does not need to steal credentials and the only action performed with them is send to the C & C, possibly for a manual review. This behavior allows to deduce that his priority is not to make the catch, but to modify transfers on real-time, as discussed below.
If user credentials are captured correctly, the script starts executing the following actions on the rest of the web:
  • Action 1 (landing page), it simply sends the user data and password to log. Depending on the bank, this action can be ignored. 
  • Action 2 (accounts info), looking for information on user accounts, extracts data and sends to the C & C in the following format:

               Owner Name * Account Number * Balance * – * |

  • Acción 3 (new transfer), It is responsible for changing the legitimate transfer for redirecting the money to a money mule instead of the original recipient. Before performing, various checks are done, including if the account has enough funds and a fraudulent transfer isn´t already made. If the victim passes these checks, a money mule is request to the C&C.
ATS´s answer to this request includes the new reciver of the transaction and the amount to send. With this information, the script falsifies the transfer, showing the data wich the user espects to see and sen the false data to the bank . ATS´s response to this request includes personal details from the new recipient of the transaction and the amount sent. With this information, the script tampers the transfer, showing the user the data expected to see (the transfer believed performed) and sending to the bank illegitimate.
On this way is the user who makes the verification steps. Either introducing card values coordinates, the PIN sent to the mobile or any other TAN factor.
Additionally, when illegitimate transfer has been made, the fixBalance?() function is executed at all sites where the account balance appears. This function changes the value of the balance displayed to hide the theft. This functionality of the Trojan is even sessions persistent, so while the user is infected fraudulent transfer and the actual balance will be completely undetectable on banking´s website.

Regarding the communication script – C&C, although it was not possible to replicate this process, a preliminary analysis showed the following conclusions:
  • To contact the C & C, the script uses JSONP, depending on the injection can load the jQuery library to make requests.
  • In all of them a field “key” that is hardcoded in the binary itself and necessary for communication is added.
  • Beyond this check and the SSL layer, communications script C&C do not appear to include any other kind of encryption or obfuscation.
Finally these are the MD5 identifying the samples analyzed:

1a621d205e984f92a42e00dd250e4ca0
4da23d28b515ff7cc1e51821895fea7a
b5d5c2782b078f4148f5a102dde5dc8b
ea593dc3d2056c5c1a2c060cc77c4990
1bbd341d8fa51f39c7f8df7753b72b00
50fc29042f8c54d99a6ec3dfd82b40e0
b9d28002e69f87e1f407a501d2bf5c3c
fab771fb164e54c6982b7eb7ba685500
3153be649d0d868c77a064e19b000d50
594fa3dd37c9b720c24bf34cf4632c20
c892c191a31f4a457ff1546811af7c09
3bd78217be4e455c107f81543de51bf0
9db30f3d2a0d68f575c79373cded12c0
ced7970f13c40448895967d4c47843e0
400fbcaaac9b50becbe91ea891c25d71
a86bd976ce683c58937e47e13d3eb448
e03512db9924f190d421ff3d3aaa92f0

ATS: Slave´s best friend

A few days ago we commented in this blog the discovery of the Slave Trojan. A new malware differentiated by their webinjects in JSON format. In this post we will dissect the automatic transfer system (ATS) that works together with Slave , which is…

Leer más

Bulk spam campaign for Dalexis+CTB-Locker

Campaign In the last few days a bulk spam campaign has been detected distributing Dalexis malware downloader. Below this lines you will find a screenshot taken from one of the spam mails. Email attached files are compressed files with the extensions…

Leer más

The Dexter trojan

Dexter is a well known trojan, it is oriented to steal credit card information in the POS systems. Despite samples of its earlier versions were spotted in December 2012, a new version known as Dexter v2 or Stardust was discovered…

Leer más

Collaboration for a More Secure Europe

I hope by the time you are reading this blog post you will have already heard about the European Cyber Security Group for those of you that have not read about this new alliance let me give you a very…

Leer más

A YEAR OF FRAUD (PART I)

The New Year is the ideal time to present a summary of all that we have seen during 2011. The data that we will present here is related to fraud incidents closed by S21sec's SOC/CERT. We have acted on 4759…

Leer más

New SpyEye Campaign with mobile complement

More than a year ago we saw for the first time how ZeuS had incorporated a mobile component in an attempt to steal the SMS sent by the banks while making a transfer. Later, SpyEye incorporated the same technique.Recently, we…

Leer más

Murofet: Changing to zlib

Time passes and in the world of malware new threats continue to emerge, but the established threats still continue to evolve and everything points to this continuing.In this blog, we will once again talk about Zeus and, in particular, the…

Leer más

Live Forensics Mac OS X (II)

Continuing on from last week's post, we are going to look at what's needed to correctly virtualize a physical disk with a Mac OS X operating systems, this time using VMWare. The following are needed: QemuVMWare PlayerEmpire EFI (Latest version…

Leer más