Earlier this year Trusteer’s CTO Amit Klein blogged about two malware families, Tinba and Tilon, going back to basics. He observed that we are witnessing an interesting trend - organizations are rolling out advanced malware detection systems that force malware authors to drop some of their more advanced techniques and reuse older techniques that were abandoned years ago. The latest example of this trend is a Zeus variant that was detected by Trusteer’s security team this month. Using a unique HTML injection mechanism and static mule accounts, this malware is now targeting banks in Eastern Europe by covertly manipulating and performing transactions on the end user’s behalf.
In the last couple of years many organizations took note of the malware threat and deployed advanced malware detection systems. These new security solutions were familiar with all the latest tricks malware authors had to offer and contained effective counter measures. Malware authors (and their criminal clients) did not sit idle while their attacks were detected and eliminated – they fought back!
Here are just three examples of such cases examining the original criminal threat, the banks’ countermeasure, and the criminals’ response to the countermeasure:
1. Cybercriminals use stolen user credentials to commit fraud from their own devices.
Security solutions start using device ID and device reputation techniques to identify criminal devices and logins not originating from the known end user’s device.
Cybercriminals use RDP (Remote Desktop Protocol) to connect to the victim’s device and commit the fraudulent transactions from that trusted device. Device ID solutions see this as the legitimate client’s device and therefore do not generate an alert.
2. Cybercriminals use automatic scripts that create fraudulent transaction right after an infected user logs in to the account.
Security solutions start performing velocity tests to all transaction pages. If a transaction form is filled out in less than a second – it’s obviously not a human and the transaction is challenged or declined.
Cybercriminals created automatic scripts with a “slow fill” function that fills out the transaction form in a human-like way (characters are entered by the script with 0.1-2 second intervals). Velocity tests view the automated script as human and do not generate an alert.
3. Cybercriminals use HTML injections to display additional fields to victims who fill them out and provide the attackers with more data.
Security solutions compare page input fields to determine if the user is submitting data the bank did not ask for.
Cybercriminals respond by having the malware inject full pages (not alter the original bank page) to the victim. Effectively, the user is unknowingly filling out a malware generated page and not communicating with the bank’s website. The bank then only sees the fields expected and does generate an alert.
Trusteer’s security team has recently identified a Zeus variant that uses a rather curious way to overcome malware detection solutions. This particular variant targets an Eastern European bank whose transaction form contains typical data fields such as: the paying account, transaction amount, beneficiary account, beneficiary name, beneficiary address and a transaction title. An HTML injection is applied to the transaction page that changes the HTML form field names of the beneficiary account number, name, address and transaction data (while leaving the source account field names and transaction amount field name unchanged). This Zeus variant also injects mule account data with the correct field names instead of the altered fields. The victim fills in the transaction details (at the HTML level the field names for some data are incorrect), submits the form, and the bank receives an HTTP request for the transaction only with the correct fields that now specify a receiving mule account.
(Click on image above to see as separate image)
To recap – the malware uses a hardcoded HTML injection (with static mule account information) to perform fraudulent transactions. This technique, while simple and simplistic, offers two advantages over JS HTML injection: less “moving parts” (dynamic scripts) means tougher detection for anti-virus and anti-malware solutions and this technique will work on browsers whose users disabled JS for security reasons. Simple, crude – but effective!
Just as users, organizations and security solutions study and adapt to new threats, malware authors stay vigilant and invest a lot of effort into remaining stealthy. Trusteer’s Rapport can detect, mitigate and remove this, and other, Zeus variant from infected devices. Trusteer Pinpoint Malware Detection can identify and warn organizations of malware infected devices that attempt to login and transact with their website.