Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Banking Trojan Harvests Newspaper Readers' Credentials

Financial malware performs brute-force guesses of valid usernames and passwords, possibly for attacks against consumer bank accounts.

Beware financial malware that's trying to harvest usernames and passwords from a major newspaper's website.

That unusual warning comes by way of security firm ESET, which said it's observed financial malware known variously as Gataka and Tatanga being used in four recent attack campaigns. Targets include banks in Germany and the Netherlands, as well as an attack that's "trying to obtain accounts on a major U.S. newspaper's website by performing brute-force guesses of usernames and their passwords," said Jean-Ian Boutin, a malware researcher at ESET. "If this process is successful, the account information could possibly then be used to harvest private information or access paid content."

In all the campaigns, ESET observed the malware connecting with between three and ten different hacked Web pages, which served as proxies for the botnet's command-and-control (C&C) server. Boutin estimated that the underlying botnet contained "somewhere between 20,000 and 40,000 infected hosts," with the vast majority of compromised--or zombie--PCs located in Germany.

The Gataka malware itself was first detailed by S21sec in February 2011. The security firm dubbed the Trojan application, written in C++, as being "rather sophisticated" given its ability to hide on infected systems. It does that in part by downloading encrypted modules--in the form of DLL files--after it infects a system. According to S21sec, these modules or plug-ins offer additional functionality and are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software.

[ A two-year investigation ends in charges for 28 people for stealing financial and other personal information. Read about it at FBI Busts Massive International Carding Ring. ]

"In fact, when only the main component is present, there is not much functionality available to the bot-master," said ESET's Boutin. In addition, the malware in many cases also downloaded HTTP injection configuration, providing customized attack capabilities for targeted sites.

S21sec has likened the malware, aimed at banks in Germany, Portugal, Spain, the United Kingdom, to SpyEye, noting that "it can perform automatic transactions, retrieving the mules [the latest information on details of legitimate bank accounts used by criminals and their money mules to launder stolen funds] from a server, and spoofing the real balance and banking operations of the users."

"Depending on the targeted bank, the Trojan can passively grab the credentials or ask for more in order to make the fraudulent transaction [succeed] in the user session," said S21sec. "In some cases the requested credentials include the [over the phone] mobile key," meaning the malware can run a social-engineering attack to trick users into sharing a one-time PIN sent by their bank, to be used to authorize a transaction initiated by the malware.

Once the malware infects a system, it can also grab email addresses, detect and delete other installed malware--including Zeus--encrypt its communications with C&C servers, and record all HTTP traffic. To do that, a malware module known as Interceptor creates a proxy server on the local machine so that all outbound and inbound network traffic can be examined, according to ESET. "In the case of HTTPS traffic, fake certificates--encrypted in the plug-in resources--are used between the client and the proxy server," ESET explained. "The browser certificate checking functions are also patched, in an attempt to hide to the user that fake certificates are used."

The malware also offers both 32-bit and 64-bit support, defenses against virtual machines, blocks Trusteer Rapport in-browser security software from being downloaded, dumps online banking pages and sends them to the C&C server to facilitate future attacks, records lists of sites visited--and on designated sites, also video--and injects JavaScript into visited Web pages to launch man-in-the-browser (MitB) attack to try and bypass SMS-based transaction authorizations.

Gataka is compatible with nine browsers: Internet Explorer, Firefox, Chrome, Opera, Safari, Konqueror, Maxthon, Minefield, and Netscape.

Whoever is behind the malware also offers frequent updating. "When communicating with the C&C, the client provides a list containing all its installed plug-ins and their versions," said Boutin. "The server can then send updated or new plug-ins to the Trojan. In one of [Gataka's] campaigns that we followed, we observed updates to the main component every two to three days, while the plug-ins did not evolve significantly. These updates seemed to be mostly for evading detection by anti-malware software."

The malicious code highlights how when it comes to malware, would-be attackers have multiple options. "Gataka might not be as widely deployed by bot masters as SpyEye or Zeus, but it can achieve similar goals," said Boutin. "Will its modular and stable architecture attract more cyber thieves in the future? It would not be surprising, but only time will tell."

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
7/25/2012 | 4:56:53 AM
re: Banking Trojan Harvests Newspaper Readers' Credentials
Much as I sympathise with the banks, I feel they should keep up to date with technology.
There is a security system which is being implemented
by two banks in the U.S and one in Hong Kong, and is being evaluated by a
European bank, in the wake of the report which stated that ATM crime is up
63% in Europe.
Basically, it means that the following security scenario is no longer a
problem:
Your ATM card is stolen, on the back of which you have written your PIN
number. Together with this, they stole the piece of paper, on which you
wrote your User ID and password.
To make things worse, a spy camera watched your last access.
Ordinarily, this would not be a Good Situation. However, if your bank is
incorporating the authentication method shown at
www.designsim.com.au , there is no way the thieves can access your
accounts.
The site features a fraudproof ATM and online trading application on the
demo pages.

Worth a look?
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35419
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
CVE-2021-28060
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
CVE-2021-28825
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
CVE-2021-28826
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
CVE-2021-28855
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).