Download - Malware's Most Wanted: Financial Trojans
Your speakers today
Nick Bilogorskiy@belogor
Director of Security Research
Shel SharmaProduct Marketing Director
Agenda
o What makes a Trojan Financialo Financial Trojans countdowno Wrap-up and Q&A
Cyph
ort L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
What makes a Trojan Financial
o What they try to get:o Direct collection theft of credit cardso Collect of credentials for online fraudo Fake bank communicationo Direct control over bank transfer system
o How sophisticated they are:o Man-in-the browser: webinjectso Evasion, armoring, anti-analysiso Configuration file for targetso Encrypted Command-and-Control and DGA
Shylock Trojan
o First seen: 2011o Target: European banks, especially UKo Distribution: Blackhole, Cool, Magnitude,
Nuclear, and Styx Exploit Kits, spam, malvertising via Youtube ads, Skype.
o Value Stolen: several million dollarso Infected Users: 60,000 (Symantec)o Actors: in Russia or Eastern Europe
Shylock features
o Steals financial info via man-in-the-browsero Injects itself in svchost and explorer, uses bootkito VNC module to control user machineo Spreads through skype
Bebloh Trojan
o First seen: 2009o Target: Western Europe banks (most in Germany)o Distribution: LuckySploit Kit, Spam mailso Value Stolen: $7.3 Million dollars annually (just one gang)o Infected Users: less than 30,000 (Source: Symantec)
Bebloh Features
o Forces use of Internet Explorero Disables use of a proxyo Monitors access of certain online banking siteso AV Evasiono Encrypted config file
Vawtrak Trojan
o First seen: August 2013o Target: North American bankso Distribution: Angler Kit, Kuluoz spam, Chanitor
downloadero Value Stolen: $24 Million dollars (RT)o Infected Users: about 100,000o Actors: Russian Neverquest Vawtrak crew,
vorVzakone – Oleg Tolstykh (phishlabs)
Vawtrak features
o Vawtrak CNC process is complex and well-hidden. The update servers are hosted on the Tor hidden Web services, and communication is done over SSL. Communication is done only while the user is browsing the Internet (i.e. while a browser produces a network traffic).
o The command and control center of the attack is located in Russia
o Furthermore, Vawtrak uses steganography by hiding the update lists inside favicons 4 kB favicon image files, carrying data in the least significant bits!
Dridex Trojan
o First seen: Nov 2014o Target: North American and European Bankso Distribution: Spam mails with Word Documentso Infected Users: about 29,000 (Symantec)
Dridex features
o Some version use p2p over http for carrying out botnet communication
o Uses web injects to carry out man-in-browser attacko Uses VNCo Can act as RAT tool unlike other banking Trojano Uses XML based config file
Dyre Trojan
o First seen: 2014o Target: North American Corporate Banks o Distribution: Spam mails, by Upatre and Cutwail botnets, RIG
exploit kit.o Value Stolen: over $1 million dollars (IBM)o Infected Users: 90,000+ (Symantec)o Actors: Eastern Europe
Dyre Wolf gang (FBI)
Dyre features
o Uses man-in-the-browser attacko Browser Snapshot, can take pictures and grab credentials. o Adds extra text fields required for accessing the account o Uses SSL, DGA algorithm, 1000 domains each day for CNCo THE PHONE CALL –ADVANCED SOCIAL ENGINEERINGo To hide its backend infrastructure, Dyre deploys a set of proxy
servers that act as C2 servers.
SpyEyeo First seen: 2009o Target: Mostly USo Distribution: sold as a toolkit ranging from $500 to $8,500 depending on the plugin.
Most bot arrives through spam mails. o Value Stolen: tens of millions of dollars (infosecurity-magazine.com)o Infected Users: 1.4 million (FBI)
o Actor: Aleksander Panin a.k.a Gribodemon or Harderman, arrested in June 2013
SpyEye features
o Uses man-in-the-browser attack o Configuration file is saved in encrypted format. o Browser Snapshot, can take pictures and grab credentials. o Only activates when the user is browsing the bank’s website o Updates itselfo Injects into explorer.exe
Source: http://www.xylibox.com/
32
ZEUS What is ito First seen: 2007o Target: All financial
institutionso Distribution: drive by
downloads, spamo Value Stolen: $100 Million
dollars (FBI)o Infected Users: 4 Million+o Actors: Russian Evgeniy
Bogachev
ZEUS Actors
Evgeniy Bogachev, 30, of Anapa, Russia.nickname “Slavik” Gameover Zeus ringleader
Hamza Bendelladj, 24, Algeriannickname “Bx1” BotmasterArrested and extradited in 2013
o Steganography o Rootkito Anti-Debuggingo Digital signatureso Modular. Flexible. Persistent.
ZEUS Advanced tricks
Carbanak Trojan
o First seen: February 2015o Target: Russia, followed by the United States, Germany,
China and Ukraine o Distribution: targeted phishing emailso Value Stolen: $1 Billion dollarso Infected Users: only a thousand private customerso Actors: China or Russia
Carbanak features
o APT TTP. A backdoor based on the Carberp malicious code. o Evasion – anti-VM, sleeping, anti-debuggingo moved laterally to infiltrate administrator machines and
observed cash transfer patternso Steals from banks directly, not from userso ATMs were instructed to dispense cash for money muleso Manipulating account balances
Conclusions
o Continued activity targeting individuals using more sophisticated Trojans,
o Increased ransomware with blackmail tactics for extortion,
o Increased campaigns and malware targeting banks and clearing houses themselves