PowerZeus Incident Case Study

Date of publication: 18/10/2013, CERT Polska

CERT Polska has created a technical report about a KINS/PowerZeus infection affecting Polish online banking users. In July 2013 we obtained information about an attack on Polish online banking users. This attack utilized a new strain of malware, which had similar abilities to the previously described ZeuS family, e.g. changing a page’s content on-the-fly. The malware version described here stole user credentials, when the user logged into the online banking site. Because of the fact that some online banking systems in Poland use text messages based on One Time Passwords, cybercriminals found a way to also steal them. When a user enters credentials it displays a message, supposedly from the bank, that she has to install a special Android application in order to make her transactions more secure. As a result the malware controls both the phone and user machine and the botmasters are able to issue a wire transfer. This report contains details about that operation, technical description of both malware samples, dedicated for Windows and Android, and recommendations for users

Najważniejsze ustalenia:

    • This is the first, this widespread, case of KINS/PowerZeus infection affecting Polish users.
    • 2 domains in the .ru TLD were being used for C&C purposes.
    • Both of these domains have now been taken down and sinkholed yesterday in cooperation by Kaspersky Lab. There were 734 unique IP addresses connecting to these domains during the first 1.5 hours.
    • Malware used hosts on Polish domains, which were taken over in order to distribute the malicious Android application.

     

    Full text of the report can be found here or under the “Reports” tab.