TrickBot (TrickLoader) is a modular financial malware that first surfaced in October in 20161. Almost immediately researchers have noticed similarities with a credential-stealer called Dyre. It is still believed that those two families might’ve been developed by the same actor.
But in this article we will not focus on the core itself but rather the loader whose job is to decrypt the payload and execute it. Read more
Malicious scripts, distributed via spam e-mails, have been getting more complex for some time. Usually, if you got an e-mail with .js attachment, you could safely assume it’s just a simple dropper, which is limited to downloading and executing malware. Unfortunately, there is a growing number of campaigns these days, where script doesn’t exit after downloading sample. Instead of ending its life – it remains active, waiting for additional commands or more samples to fetch. Some of the examples are: vjw0rm used in Vortex ransomware campaigns and Ostap – the main protagonist of our story.
This article is an introduction to Backswap malware analysis, which is a second-stage malware downloaded by Ostap. Our analysis of Backswap malware will be published soon!
Recently we have observed campaigns of a banking malware for Android system, which targets Polish users. The malware is a variant of the popular BankBot family, but differs from the main BankBot samples. Its victims were infected by installing a malicious application from Google Play Store. We are aware of at least 3 applications that were smuggled to Google Play Store and bypassed its antivirus protection:
Crypto Monitor
StorySaver
Cryptocurrencies Market Prices
The last one is an older version which was uploaded to VirusTotal on 13.10.2017.
According to the ESET’s analysis “Crypto Monitor” and “StorySaver” reached between 1000 and 5000 downloads. In each case, the malware pretended to be a benign, useful application.
Emotet is a modular Trojan horse, which was firstly noticed in June 2014 by Trend Micro. This malware is related to other types like Geodo, Bugat or Dridex, which are attributed by researches to the same family.
Emotet was discovered as an advanced banker – it’s first campaign targeted clients of German and Austrian banks. Victims’ bank accounts were infiltrated by a web browser infection which intercept communication between webpage and bank servers. In such scenario, malware hooks specific routines to sniff network activity and steal information. This technique is typical for modern banking malware and is widely known as Man-in-the-Browser attack.
Next, modified release of Emotet banker (v2) has taken advantage of another technique – automation of stealing money from hijacked bank accounts using ATSs (Automated Transfer Systems, more informations on page 20 of CERT Polska Report 2013). This technology is also used in other bankers. Good examples are ISFB (Gozi) or Tinba.
At the beginning of April 2017, we observed wide malspam campaign in Poland, distributing fraudulent mails. E-mails were imitating delivery notifications from DHL logistics company and contained malicious link, which referred to brand-new, unknown variant of Emotet.
Malware distributed in this campaign differed from previously known versions. Behavior and communication methods were similar, but malware used different encryption and we noticed significant changes in its code. Thus we called this modification version 4.
Domain Generation Algorithms are used in botnets to make it harder to block connections to Command & Control servers and to make it difficult to takeover botnet infrastructure. The main objective of these algorithms is to generate a big number of different domain names which usually look random, like
<span class="text">pkjdgjwzcr.pl</span>
. Only some of them are registered by a botmaster, however compromised hosts tend to query all of them until they find a working domain. As a result bots can receive a big number of non-existent domain name responses (in short: NXDomain). In this entry we will show how such behavior can be utilized to detect DGA botnets using examples of different detection methods. Read more
In the previous entry we showed examples of domains, which could be easily missclassified as DGA botnet domains. Most of them are machine generated and used in a non-malicious manner. In this entry, conversely, we will present examples of pseudo random domains, which could be used in attacks or be an evidence of such attack. Read more
W przedstawianym Państwu raporcie omawiamy najważniejsze trendy i zagadnienia związane z problematyką cyberbezpieczeństwa w Polsce w 2014 roku. Prezentujemy aktualne zagrożenia, kierunki ich rozwoju, informujemy o podejmowanych przez CERT Polska działaniach. Read more
Domain Generation Algorithms are often used in botnets to create specially crafted domain names which point to C&C servers. The main purpose of this is to make it more difficult to block connections to these servers (for example with domain blacklists) or to protect the C&C channel (and botnet itself) from a takeover. Often domains generated this way are composed of random characters, for example:
<span class="text">gdvf5yt.pl</span>
, which appear as nonsensical, but nevertheless allow the botmaster to manage their bots. While working on detection of algorithmically generated domains (we have covered cases of their usage here and here) we have found examples of domains, which are similar in weirdness of appearance to those used in botnets, but are utilized for different – legitimate – purposes. Identification of these domains is useful in elimination of large number of false alarms in DGA botnet detection systems. In this entry we will describe how such domains are used in a non-malicious way and in a future post we will look into cases which can be seen as threats. Read more
During the last few days, we have observed an attack on Polish users of auction website Allegro.pl and a hotel reservation portal – Booking.com. These attacks were directed at Polish users. Victims received a personalized e-mail that informed them that their account has been blocked either due to the outstanding fees or due to the inappropriate auction content. In case of Booking.com users were led to believe that they made a reservation and an invoice for that reservation is included in the e-mail message. Both campains had nearly identical infection schemes, which makes it very likely that they were performed by the same person or group. Read more
On multiple occasionswe informedabout a new threat to Polish online banking users, which we named VBKlip. This is a new kind of malware that substitutes the bank account number that has been copied to the clipboard. This works when we try to, e.g. pay a bill, and we copy the bank account number to paste it to the online banking wire transfer page. Instead of paying the bill we send that money to the attacker. In this article, we publish a detailed analysis of this threat. We consider it a serious threat, because we constantly receive reports from users that they have been infected with it and their money has been stolen.
By clicking the link “I agree” and proceeding to the site, you consent to our processing of your personal data.
COOKIES POLICY
Cookies
When you use our sites, we collect information about your visit and your
navigation on our sites. To this end, we use cookies. A cookie contains IT
data, which is placed in your terminational equipment - Internet browser,
which you are using.
Cookies used on our sites serve, among others, day-to-day site optimisation
and facilitiation of your use of those sites. Some functionalities
available on our sites may not operate, if you do not agree for cookies to
be installed.
Installation or access to cookies does not cause any changes in your
equipment or any software installed on this equipment.
We use two type of cookies: session-based and permanent. Session cookies
expire after the session ends, with the session’s duration and precise
expiry parameters being set by the Internet browser, which you are using,
and our analytical systems. Permanent cookies are not deleted when you
close the browser window, mainly so that information about the choices you
made is not lost. Long-term active cookies are used to help us support
comfortable use of our sites, depending whether you visit us for the first
time or you are re-visiting.
What do we use cookies for?
Cookies are used for statistical purposes and to improve sites’ operation
and make the use of sites more comfortable, inter alia:
let us check how often the specific pages on sites are visited - we
use this data to optimise sites for the visitors;
help us recognise your type of device, and this way to adjust
better how and in what format the content is presented, and sites’
functionalities;
improve effectiveness and efficiency of sites for the users.
How you can refuse your consent for installation of cookies, using your
browser settings?
If you do not want cookies to be installed on your device, you change your
browser’s settings with respect to installation of cookies. You can also
remove cookies stored when viewing our sites, at any time. Remember,
however, that restrictions on use of cookies can make the use of those
sites difficult or impossible.
Use of third parties’ tools
Some cookies are created by n entity whose services we employ, e.g.
Google Inc.
On our sites, we use Google Analystics tool to analyse traffic on WWW pages
and browsing activities. We use it in particular for statistical purposes,
to check how often the respective sites are visited. We also use this data
to optimise and develop services. You can find out more about Google
Analytics here:
https://policies.google.com/technologies/cookies