Banking trojans are rife, infecting thousands of users around the globe and helping cybercriminals gain illegal access to banking credentials and account information. But to do this, they often need assistance from an assortment of trojan downloaders, webinject files and the like. In this feature, we take a closer look at four especially severe examples.
Waski spreads Dyre
Waski isn’t technically a banking trojan, but rather a malicious program that helps to download a banking trojan onto the victim’s computer. It is increasingly common in English-speaking regions, including the US, Canada, the UK, Australia, New Zealand and Ireland, but was also found to be widespread in Germany, Austria, Switzerland, Italy among others.
Named Waski – and detected by ESET as Win32/TrojanDownloader.Waski – it was first discovered in late 2013. Once excecuted, it downloads and spreads a banking trojan including Dyre (or Win32/Battdil) on the computer.
Its method of getting onto the victim’s machine in the first place involves social engineering and email phishing. The downloader masquerades, for example, as a PDF file by employing the Adobe icon. However, the extension actually reveals that the extension is an executable (EXE) file.
When launched, Waski verifies the IP address of the compromised computer and then creates a unique ID number that is sent to the cybercriminal’s command and control (C&C) server. The payload downloaded comes under the form of another PDF file that also has the right extension, but this one also includes the banking trojan.
On a compromised computer, it can intercept credentials from a large list of websites for financial institutions when accessing them via any of the major web browsers, including Google Chrome, Mozilla Firefox and Internet Explorer.
This makes Waski a useful tool in any attacker’s arsenal for stealing money.
Customizable webinjects trick bank customers
Webinject configuration kits have long been used in conjunction with banking trojans to alter the web pages that a victim sees. In other words, it attempts to convince a user that what they are viewing is legitimate, when it is anything but.
However, in more recent months, there have been signs that the market has become commoditized, with prices falling ever lower. This has led to the creation of customizable webinjects with new features.
This has been discussed in detail by ESET malware researcher Jean-Ian Boutin, who presented The Evolution of Webinject at the 24th Virus Bulletin conference in Seattle last year. After studying these webinject kits, Boubain found commoditization, which is the sign of cybercrime-as-a-service, gathering pace.
“I have been studying banking trojans for several years now and have looked at many, many different webinjects,” he wrote in an article last autumn. “After a while, we started to see common patterns in different webinjects used across different banking trojans. We saw code and administration panels being reused as well as sellers becoming popular in underground forums.”
CPL malware lets criminals monitor online banking sessions
Brazil is one of the most populous countries in the world, with one of the globe’s fastest-growing economies. It is also one of the countries with the highest percentage of internet users using online banking so – sadly – this makes it an obvious target for cybercriminals with banking trojans.
CPL malware is particularly widespread in the country, and commonly looks to trick users into downloading and installing banking trojans onto the infected systems.
Described by ESET malware analyst Matias Porolli and head of LATAM research lab Pablo Ramos as being “somewhere between banking trojans and malicious emails” in their whitepaper, CPL malware commonly refers to a mix of social engineering and phishing emails.
The malware is embedded in sent ZIP files and downloaded onto the machine when the victim clicks to download. But rather than download the file they thought they were getting, the system actually begins to execute the CPL. file. At this point, the cybercriminals can monitor the victim’s access to banking sites, redirect them to malicious sites or hijack the banking session. They can then capture their account information.
Operation Buhtrap relies on NSIS trojan downloader
In April, security experts at ESET published an in-depth examination on the Operation Buhtrap malware family, a campaign that saw cybercriminals spy on Russian Windows users, as well as steal sensitive and smartcard information.
Exploiting Word vulnerabilities, the cybercriminals would spam recipients with fake invoices or contracts from MegaFon – a large Russian mobile phone operator – in an attempt to lure victims into opening the malicious attachments in the email.
The malware used in Operation Buhtrap makes use of a mix of off-the-shelf tools, a NSIS-packed trojan downloader and bespoke spyware that abuses Yandex’s Punto software.
The tools deployed on the victim’s computer allow the cybercriminals to control the computer remotely and to record its user’s actions. The malware allows the criminals to install a backdoor, attempts to obtain the account password and even tries to create a new account. It also installs a keylogger, a clipboard stealer, a smart card module and has the capability to download and execute additional malware.
Banking trojans: numerous and dangerous
All of the examples discussed above illustrate the variety of online banking exploiting techniques that cybercriminals have access to, as well as drawing attention to just how serious the cybercrime-as-a-service market has become. Banking trojans, old and new, will continue to be a used for a variety of attacks because, to state the obvious, the financial services sector is where the money – and lucrative sensitive data – is held. Ensuring that they have little impact is an ongoing challenge.