Banking Trojan Harvests Newspaper Readers' Credentials

Financial malware performs brute-force guesses of valid usernames and passwords, possibly for attacks against consumer bank accounts.
Beware financial malware that's trying to harvest usernames and passwords from a major newspaper's website.

That unusual warning comes by way of security firm ESET, which said it's observed financial malware known variously as Gataka and Tatanga being used in four recent attack campaigns. Targets include banks in Germany and the Netherlands, as well as an attack that's "trying to obtain accounts on a major U.S. newspaper's website by performing brute-force guesses of usernames and their passwords," said Jean-Ian Boutin, a malware researcher at ESET. "If this process is successful, the account information could possibly then be used to harvest private information or access paid content."

In all the campaigns, ESET observed the malware connecting with between three and ten different hacked Web pages, which served as proxies for the botnet's command-and-control (C&C) server. Boutin estimated that the underlying botnet contained "somewhere between 20,000 and 40,000 infected hosts," with the vast majority of compromised--or zombie--PCs located in Germany.

The Gataka malware itself was first detailed by S21sec in February 2011. The security firm dubbed the Trojan application, written in C++, as being "rather sophisticated" given its ability to hide on infected systems. It does that in part by downloading encrypted modules--in the form of DLL files--after it infects a system. According to S21sec, these modules or plug-ins offer additional functionality and are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software.

[ A two-year investigation ends in charges for 28 people for stealing financial and other personal information. Read about it at FBI Busts Massive International Carding Ring. ]

"In fact, when only the main component is present, there is not much functionality available to the bot-master," said ESET's Boutin. In addition, the malware in many cases also downloaded HTTP injection configuration, providing customized attack capabilities for targeted sites.

S21sec has likened the malware, aimed at banks in Germany, Portugal, Spain, the United Kingdom, to SpyEye, noting that "it can perform automatic transactions, retrieving the mules [the latest information on details of legitimate bank accounts used by criminals and their money mules to launder stolen funds] from a server, and spoofing the real balance and banking operations of the users."

"Depending on the targeted bank, the Trojan can passively grab the credentials or ask for more in order to make the fraudulent transaction [succeed] in the user session," said S21sec. "In some cases the requested credentials include the [over the phone] mobile key," meaning the malware can run a social-engineering attack to trick users into sharing a one-time PIN sent by their bank, to be used to authorize a transaction initiated by the malware.

Once the malware infects a system, it can also grab email addresses, detect and delete other installed malware--including Zeus--encrypt its communications with C&C servers, and record all HTTP traffic. To do that, a malware module known as Interceptor creates a proxy server on the local machine so that all outbound and inbound network traffic can be examined, according to ESET. "In the case of HTTPS traffic, fake certificates--encrypted in the plug-in resources--are used between the client and the proxy server," ESET explained. "The browser certificate checking functions are also patched, in an attempt to hide to the user that fake certificates are used."

The malware also offers both 32-bit and 64-bit support, defenses against virtual machines, blocks Trusteer Rapport in-browser security software from being downloaded, dumps online banking pages and sends them to the C&C server to facilitate future attacks, records lists of sites visited--and on designated sites, also video--and injects JavaScript into visited Web pages to launch man-in-the-browser (MitB) attack to try and bypass SMS-based transaction authorizations.

Gataka is compatible with nine browsers: Internet Explorer, Firefox, Chrome, Opera, Safari, Konqueror, Maxthon, Minefield, and Netscape.

Whoever is behind the malware also offers frequent updating. "When communicating with the C&C, the client provides a list containing all its installed plug-ins and their versions," said Boutin. "The server can then send updated or new plug-ins to the Trojan. In one of [Gataka's] campaigns that we followed, we observed updates to the main component every two to three days, while the plug-ins did not evolve significantly. These updates seemed to be mostly for evading detection by anti-malware software."

The malicious code highlights how when it comes to malware, would-be attackers have multiple options. "Gataka might not be as widely deployed by bot masters as SpyEye or Zeus, but it can achieve similar goals," said Boutin. "Will its modular and stable architecture attract more cyber thieves in the future? It would not be surprising, but only time will tell."

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Editors' Choice
Ericka Chickowski, Contributing Writer, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading