Less than a month ago, S21sec e-crime detected a new threat that defeats the second authentication vector based on SMS.
Today, we’re back to announce a new technique which, although is already known, is affecting some organizations during the last weeks: Man in the Browser.
Briefly, this new technique (MitB), is implemented by a trojan that infects and controls a web browser, having the ability to modify pages, transaction information, etc. stealthy performing all its actions to both the user and the bank online application.
In this incident, the trojan is not the well-known ZeuS/Zbot, but his “competitor” known as SpyEye. By the end of 2009, a new banking Trojan called SpyEye made its appearance on the underground world. It is written in C++ and the supported systems range from Windows 2000 to Windows 7. It works in ring3 (user-mode), as its competitor ZeuS does, although this is not the only similarity between both Trojans.
SpyEye is sold in several forums as it is said to be undetectable by most anti-virus software; it also hides several files as well as registry keys. SpyEye implements many of the ZeuS’ features, though it is still in development. The distribution package of this Trojan is similar to Zbot/ZeuS and other fraud kits usually distributed in forums of Eastern Europe and Russia.
The main features of previous SpyEye’s versions are the following:
- Form Grabbing: It captures the data filled by the user in the fields of the forms submitted by the browser.
- Code injection: This technique involves the injection of HTML code in the victim’s browser to get additional information the organization wouldn’t ask for. In the configuration files analyzed, the requested information is usually the full security code.
- Stealing FTP and POP3 credentials: Includes network traffic monitoring, hooking into the API functions of filtering and credentials storage, mainly to monitor the traffic and looking for “USER” and “PASS” values.
- Basic http authentication Theft: A similar approach to the FTP and POP3 credentials theft.
In the version discussed in this incident, it also includes the following features:
- Screenshots: in the configuration file you can set up the URLs that will trigger a screenshot capture, configuring a specific screen zone with its dimensions.
An example is:
https://onlineaccess.mybank.com/authenticate* 500 200 10 60
- Ability to do Man in The Browser (MitB).
We have noticed an increase in the number of SpyEye samples in the wild since the past September, which led us to think that this trojan campaign started on this month:
The first fraud incidents were detected around the middle of October, with at least two different trojan samples. It is important to say that we have only seen this technique affecting to one of the affected organizations. Although this attack is completely functional, our feelings are that it’s still in its testing phase.
We are still working on the analysis of the binary, but the behaviour observed is the same one we detected in the binary discovered last February. Nevertheless, some improvements have been noticed in relation to his config file encryption algorithm. The samples detection is 62% and 20% respectively.
- The trojan gets the data from the accounts and sends them to the C&C server
- If the account balance exceeds a certain amount of money, it returns the data account in which must perform the fraudulent transfer (mule), using the following format:
[ "trans" = 1, "info" = [ "check" = [ 0 = XXXX, 1 = XXXX, 2 = XX, 3 = XXXXXXXXXX ], "sum" = 493, "name" = "Peter", "address" = "12 street, nº1 1ºA", "city" = "NY", "comment" = "Transfer" ] ]
- The trojan fills in the form with these details and stays in waiting mode.
- Several details are requested from the user, for instance the signature key.
- With the data fetched, it sends the transfer form to the bank.
- It modifies the account balance in order to hide the fraud.
As you can see, by intercepting the legitimate user’s session, the fraud is commited in a much more difficult way to be detected by the organization
In the tests analyzed, it seems that three differents accounts are used to perform the fraudulent transfer. In this incident, all of them belong to spanish organizations.
S21sec e-crime will keep you updated as soon as we have additional information of this new technique.