The Financial Threat Landscape

Jun 2, 2017

Introduction

Financial malware is malicious software developed to commit any kind of financial fraud or theft. It targets financial institutions or end-users using online banking services. While mostly rooted in classic banking Trojans aimed at bypassing 2FA and stealing money from end-users, the world of financial malware had evolved considerably, producing more sophisticated means of cyber-heist. From Crypto-miners to SWIFT attacks, hackers keep developing methods to yield higher profits.

Below is an overview of the different types of financial malware, as well as representative variants of each type:

Banking Trojans Targeting PC End-users

Financial malware targeting users of online banking services, also referred to as banking Trojans, aim to obtain financial information and credentials and then use it to perform transactions from victims’ accounts.

The infection of victims involves numerous common attack vectors, such as Malvertising, exploits (mostly via exploit kits, e.g. Angler), spam campaigns and phishing campaigns.

Once the victim is infected, the malware uses various techniques to obtain banking credentials: keylogging, DNS cache poisoning (redirection to the attackers), screen capturing, as well as MITM (man-in-the-middle) and MITB (man-in-the-browser) attacks, while using social engineering to mislead victims into submitting personal credentials (e.g. presenting fake login forms, allegedly from legitimate banking websites).

Eventually, the harvested credentials are used to perform fraudulent transactions. The transactions can be initiated by the attacker possessing access to the victim’s account (account takeover) or committed when the victim performs a transaction himself, and the attacker leverages the session to perform additional actions / change the victim’s transaction destination.

Zeus

Zeus is one of the most well-known malware families in the wild. It started spreading in 2007, and since its source code had been published in 2011, numerous variants appeared. Variants of the Zeus family are available on underground markets as a ready-to-use and easily configurable toolkit, in a form of CaaS – Crimeware-as-a-Service, a business model in which malware creators sell their product to other attackers who distribute it in their own campaigns and infrastructures.

The Trojan’s main attack vectors are spam campaigns and drive-by-downloads. The spam messages may arrive through email or social media, containing links that redirect to malicious/compromised servers, which deliver the malware. The drive-by-downloads are usually through compromised websites, in which attackers plant malicious code that executes the malware on visitors’ vulnerable hosts.

Once Zeus is installed, it opens a backdoor to its C&C server, to which it uploads the stolen data. It performs the following actions to harvest user credentials:

– URL monitoring – once the user enters a monitored URL (e.g. banking websites), the malware activates keylogging capabilities. It is also capable of injecting fake fields to these websites / popping windows, to request additional credentials.
– Password stealing from browsers’ cache, as well as FTP or POP3 accounts.
– Deleting cookies, making the user re-enter his credentials when visiting websites.

Vawtrak (Also known as Snifula or NeverQuest)

With several campaigns spotted in North America, Europe, Japan and Israel, Vawtrak is a rising financial threat. The malware is distributed via spam messages and exploits kits, or dropped by the Pony botnet. Pony is a password stealer possessing dropper capabilities, and is distributed mainly through spam messages containing malicious attachments with embedded macros.

Recent versions of Vawtrak are written in a modular structure, in which the payload contains the main module, that can download additional modules (DLLs). Each module can be downloaded from specific URLs supplied by the C&C server.

Vawtrak provides remote access to the victim’s host, through SOCKS or VNC (Virtual Network Computing – enables remote desktop sharing). It steals credentials and data such as passwords, cookies, digital certificates and screenshots.

As for evasion – Vawtrak detects security programs and abuses Windows’ Software Restriction Policies to disable their activity. Among the programs it attempts to disable, are Kaspersky, ESET, McAfee, Symantec, and more.

Banking Trojans Targeting Mobile End-Users

When it comes to mobile variants, the most commonly used capability for performing fraudulent transactions is intercepting text/voice communication with banks, as part of the 2FA – two-factor authentication process (e.g. receiving one-time passwords through text messages to confirm a transaction). The permission to access text messages or voice calls is usually given by the users, when they unknowingly install the malicious application.

Apart from the classic attack vectors (repackaged mock apps from third-party stores, Google user hacks, WiFi MitM, etc.), mobile financial malware is often masqueraded as a legitimate banking service.

Android banking malware masquerades as Flash Player

Last November, an Android banking campaign was spotted, targeting customers of major banks in the US, Germany, France, Australia, Turkey, Poland, and Austria. The malware masquerades as a Flash Player app, and upon launch, requests the user to activate device administrator privileges. The victim is then required to click “activate” or “cancel”. However, the “cancel” button actually reopens the window, and similarly to “screen-lockers”, displays a screen overlay on top of other apps. The user is left with no choice other than click “activate”, providing the malware with device administrator privileges, which prevent it from being uninstalled.

skype-picThe malware targets various social media apps. When the user tries launching them, he is presented with fake forms requesting credit card information. Among the targeted apps are Facebook, WhatsApp, Skype, Twitter, Google Play and more.

The malware can harvest credentials from 94 mobile baking apps, belonging to banks from the US, Germany, France, Australia, Turkey, Poland and Austria. It can also intercept text messages, and thus, bypass 2FA.

Crypto-Mining Malware

Cryptocurrency is a digital medium of exchange, that uses encryption to secure the creation process of new units and the execution of transactions. For instance, Bitcoin is a very well-known cryptocurrency, created in 2009. It can be mined by special software that requires immense processing power. To save power and money, and mine large amounts of cryptocurrency, attackers use crypto-mining malware. Such malware is intended to abuse resources of the infected machine to mine cryptocurrency for the use of the attacker.

Mal/Miner-C mining malware

Discovered in September 2016, this malware is intended to mine Monero (XMR) cryptocurrency.

When the malware is installed, it collects information regarding the host’s CPU/GPU and downloads a document containing a list of mining pools to join. A mining pool is a collection of miners working together to reduce the volatility of their returns.

Apart from mining, this malware also possesses worm-like distribution capabilities: some of its variants use a module which attempts to connect to random IP addresses, with the aim of finding and connecting to FTP servers. Once connected, the malware copies itself to the server and looks for web files (HTML/PHP) to infect, with the purpose of further distribution. It injects the HTML/PHP files with code that generates an iframe (HTML Inline Frame Element – enables the embedding of another HTML page into the current page), embedding the malicious code copied to the server. When users visit the infected website, they’re presented with a “save file” dialog that serves the malicious files.

ATM Malware

An additional platform which is targeted by attackers is ATMs. ATM attacks are aimed at obtaining cash or credit card information from the machine. The main attack vectors for ATMs are through physical access, for example installation of PIN cameras, or malware infection using a USB. However, ATMs are commonly based on Windows, often outdated or unpatched versions, which makes them vulnerable to several other attack vectors, especially when other parts of the network have been compromised.

Alice

This recently discovered malware family is meant to dispense cash stored in ATMs.

Upon installation (which is likely through USB / CD-ROM), the malware verifies it’s running on an ATM, by checking the presence of an XFS (Extensions for Financial Services) environment. It does so by searching for the following registry keys: “HKLM\SOFTWARE\XFS”, “HKLM\SOFTWARE\XFS\TRCERR”.

Ifoperator panel the keys aren’t found, it terminates itself. Otherwise, the attacker can input three different PIN codes that lead to different commands: exit, uninstall, or open the “operator panel” to dispense cash. To deal with withdrawal limitations when dispensing cash, the malware displays the stored levels of cash on the operator panel, and dynamically updates them when dispensing cash, so that the attacker is aware once he’s close to emptying the ATM’s cassettes.

 Malware Targeting Financial Institutes

Cyber-criminals can always be found where the money is. While attacks on large financial institutes require more sophisticated malware than attacks on end-users, these attacks are potentially much more profitable. Consequently, the financial sector remains one of the most highly targeted sectors.

SWIFT Attacks

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a provider of international financial messaging services. It enables financial institutions in more than 200 countries to send and receive information about financial transactions, and is therefore a lucrative target for hackers.

One of the most severe SWIFT attacks of all times is the theft of $81 million from the Bangladesh Bank in February 2016. The attackers compromised Bangladesh Bank’s network about a month before the transaction execution, and started obtaining information on the bank’s international payment procedures. Among the harvested information were the bank’s credentials, which the attackers used to commit the abovementioned transaction.

According to BAE Systems, a malware sample suspected to be linked to the heist was found in online malware repositories. The malware is intended to operate within an environment running SWIFT’s Alliance software suite. Its key functionality is extracting certain fields from SWIFT messages (e.g. transfer references, SWIFT addresses), which can be used to modify transactions’ details or even delete transactions, thus covering tracks. An additional evasion technique used by the malware was editing SWIFT confirmation messages sent for printing, hence preventing employees from reviewing the original confirmation of the fraudulent transactions.

However, it is still unclear how the malware infected hosts in Bangladesh Bank, or who created it. According to investigations, the intrusion might have been the result of an exploitation of a second-hand, 10$ switch, with no firewall, used in Bangladesh Bank. Nevertheless, such unsophisticated network components are even harder to investigate.

“Shamoon” Targets Saudi Central Bank

Apart from cyber-heist, financial organizations are exposed to various other types of threats, such as ransomware attacks, data leaks, or data wiping. Such attack occurred in November 2016 on Saudi Arabian Monetary Agency (Saudi Arabia’s Central Bank), allegedly for political interests. The attackers used a data wiping malware named Shamoon2, which is linked to Iran, and which was already used to attack Saudi Aramco four years earlier.

shamoonShamoon overwrites the MBR (Master Boot Record) of infected hosts, making them unbootable. It accesses the MBR by abusing a commercial driver named RawDisk, by Eldos, which provides access to files, disks and partitions of disks. United States intelligence officials claim the malware is linked to Iran.


A prompt thrown by Shamoon

Conclusion

Even though ransomware made more headlines this past year, banking Trojans are still a major part of the threat landscape. Considering the evolvement of the CaaS phenomenon, providing attackers with accessible and easy to use toolkits, the number of attacks is expected to grow.

To stay protected, we highly recommend using strong passwords, logging out of your banking sessions, and paying attention to suspicious links and attached files arriving by email or social media channels (particularly documents requiring the user to enable macros). In addition, use endpoint protection solutions to defend against malware, and keep your operating system and other programs (especially security programs) up-to-date. As for your mobile device – avoid downloading apps from unofficial stores, and pay attention to the permissions requested by apps before their installation.

IOC:

Zeus (VirusTotal):

d51f8930ef451e69e95e16393ab22722f305f1a1214c4e2c936c1ab2b24f5e5e

cd620ad356489dbbcaeba467d613e8b6e7e8cbeef05ca7a2969a0a2618e9de5b

deac3bfd502012bc0afa22716166a5389cb93d719c5cd05ced4521b3d607afac

Vawtrak (VirusTotal):

f4d7a9d596150d1a28b9aad1c1d4c9754d73af03c271f6090023c7ae8371f6bd

08b8cf138a649d70bee9c9560344ab425f54559ead6f8dfe5d05c0817a5c3b8c

dead8f2cce233c123a3f609004e4408cf845e3dfe765cfd2c0a2461c75766871

Android banking malware masquerades as Flash Playere5df30b41b0c50594c2b77c1d5d6916a9ce925f792c563f692426c2d50aa2524

Mal/Miner-C (VirusTotal)

c624589e2e61fbdce278550c6e1c9da01dbf6e5407a5421ba50755ea35e8a43a

cf2a443949bbd4163e48be0aa5502e482799f36b5782c74d64f88dad9a0f9d09

e654c27fc557009b307e683aa4ce90de9e74e1a3d6c94efb976775d4406c7a5b

Alice ATM malware

04f25013eb088d5e8a6e55bdb005c464123e6605897bd80ac245ce7ca12a7a70

b8063f1323a4ae8846163cc6e84a3b8a80463b25b9ff35d70a1c497509d48539

Samples allegedly used in the Bangladesh Bank breach:

4659dadbf5b07c8c3c36ae941f71b631737631bc3fded2fe2af250ceba98959a

5b7c970fee7ebe08d50665f278d47d0e34c04acc19a91838de6a3fc63a8e5630

ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283

Shamoon (VirusTotal)

394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b

61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842

6e9a5681ed0e2683407e4bfcd05553207fa94a301cfc341de810b71be56bb700

All the above-mentioned samples are detected as malicious by Deep Instinct.