Tag: botnet

Ostap malware analysis (Backswap dropper)

Date of publication: 01/06/2018, Paweł Srokosz

    Malicious scripts, distributed via spam e-mails, have been getting more complex for some time. Usually, if you got an e-mail with .js attachment, you could safely assume it’s just a simple dropper, which is limited to downloading and executing malware. Unfortunately, there is a growing number of campaigns these days, where script doesn’t exit after downloading sample. Instead of ending its life – it remains active, waiting for additional commands or more samples to fetch. Some of the examples are: vjw0rm used in Vortex ransomware campaigns and Ostap – the main protagonist of our story.

    This article is an introduction to Backswap malware analysis, which is a second-stage malware downloaded by Ostap. Our analysis of Backswap malware will be published soon!

    Read more

    Analysis of a Polish BankBot

    Date of publication: 16/01/2018, Agnieszka Bielec


      Analysis of a Polish BankBot

      Recently we have observed campaigns of a banking malware for Android system, which targets Polish users. The malware is a variant of the popular BankBot family, but differs from the main BankBot samples. Its victims were infected by installing a malicious application from Google Play Store. We are aware of at least 3 applications that were smuggled to Google Play Store and bypassed its antivirus protection:

      • Crypto Monitor
      • StorySaver
      • Cryptocurrencies Market Prices

      The last one is an older version which was uploaded to VirusTotal on 13.10.2017.

      According to the ESET’s analysis “Crypto Monitor” and “StorySaver” reached between 1000 and 5000 downloads. In each case, the malware pretended to be a benign, useful application.

      Read more

      Analysis of Emotet v4

      Date of publication: 24/05/2017, Paweł Srokosz

      Introduction

      Emotet is a modular Trojan horse, which was firstly noticed in June 2014 by Trend Micro. This malware is related to other types like Geodo, Bugat or Dridex, which are attributed by researches to the same family.

      Emotet was discovered as an advanced banker – it’s first campaign targeted clients of German and Austrian banks. Victims’ bank accounts were infiltrated by a web browser infection which intercept communication between webpage and bank servers. In such scenario, malware hooks specific routines to sniff network activity and steal information. This technique is typical for modern banking malware and is widely known as Man-in-the-Browser attack.

      Next, modified release of Emotet banker (v2) has taken advantage of another technique – automation of stealing money from hijacked bank accounts using ATSs (Automated Transfer Systems, more informations on page 20 of CERT Polska Report 2013). This technology is also used in other bankers. Good examples are ISFB (Gozi) or Tinba.

      At the beginning of April 2017, we observed wide malspam campaign in Poland, distributing fraudulent mails. E-mails were imitating delivery notifications from DHL logistics company and contained malicious link, which referred to brand-new, unknown variant of Emotet.

      Malware distributed in this campaign differed from previously known versions. Behavior and communication methods were similar, but malware used different encryption and we noticed significant changes in its code. Thus we called this modification version 4.

      Read more

      How non-existent domain names can unveil DGA botnets

      Date of publication: 01/10/2015, piotrb

      dga_icon

      Domain Generation Algorithms are used in botnets to make it harder to block connections to Command & Control servers and to make it difficult to takeover botnet infrastructure. The main objective of these algorithms is to generate a big number of different domain names which usually look random, like

      <span class="text">pkjdgjwzcr.pl</span>

      . Only some of them are registered by a botmaster, however compromised hosts tend to query all of them until they find a working domain. As a result bots can receive a big number of non-existent domain name responses (in short: NXDomain). In this entry we will show how such behavior can be utilized to detect DGA botnets using examples of different detection methods.
      Read more

      DGA botnet domains: on false alarms in detection

      Date of publication: 17/04/2015, CERT Polska

      dga_icon

      Domain Generation Algorithms are often used in botnets to create specially crafted domain names which point to C&C servers. The main purpose of this is to make it more difficult to block connections to these servers (for example with domain blacklists) or to protect the C&C channel (and botnet itself) from a takeover. Often domains generated this way are composed of random characters, for example:

      <span class="text">gdvf5yt.pl</span>

      , which appear as nonsensical, but nevertheless allow the botmaster to manage their bots. While working on detection of algorithmically generated domains (we have covered cases of their usage here and here) we have found examples of domains, which are similar in weirdness of appearance to those used in botnets, but are utilized for different – legitimate – purposes. Identification of these domains is useful in elimination of large number of false alarms in DGA botnet detection systems. In this entry we will describe how such domains are used in a non-malicious way and in a future post we will look into cases which can be seen as threats.
      Read more

      E-mail trojan attack on Booking.com and online auction website Allegro.pl clients

      Date of publication: 25/06/2014, CERT Polska

      slammerDuring the last few days, we have observed an attack on Polish users of auction website Allegro.pl and a hotel reservation portal – Booking.com. These attacks were directed at Polish users. Victims received a personalized e-mail that informed them that their account has been blocked either due to the outstanding fees or due to the inappropriate auction content. In case of Booking.com users were led to believe that they made a reservation and an invoice for that reservation is included in the e-mail message. Both campains had nearly identical infection schemes, which makes it very likely that they were performed by the same person or group.
      Read more

      A look on the VBKlip “battlefield”

      Date of publication: 29/05/2014, CERT Polska

      loveletter1On multiple occasions we informed about a new threat to Polish online banking users, which we named VBKlip. This is a new kind of malware that substitutes the bank account number that has been copied to the clipboard. This works when we try to, e.g. pay a bill, and we copy the bank account number to paste it to the online banking wire transfer page. Instead of paying the bill we send that money to the attacker. In this article, we publish a detailed analysis of this threat. We consider it a serious threat, because we constantly receive reports from users that they have been infected with it and their money has been stolen.

      Read more