[CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada

Copyright© 2016 SecureBrain Corporation, All rights reserved. Copyright© 2016 SecureBrain Corporation, All rights reserved.

Behind “Operation Banking Malware Takedown”and the Progression of Malware Sophistication

2016.10.20 - 21CODE BLUE 2016

SecureBrain CorporationKazuki Takada

http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved.

Profile

• Kazuki Takada

• SecureBrain Corporation

• Software Engineer My regular work is software development. Sometimes security researcher (sometime this is

main work…)

2


Background

3


Question

4

What’s this number?

3073000000


Answer

5

Amount of fraudulent Internet banking money transfer in Japan for 2015

\3,073,000,000

https://www.npa.go.jp/cyber/pdf/H280303_banking.pdf

$30 million


Internet Banking Fraud in Japan

6

2013年 2014年 2015年

$29 million$30 million

$14 million



IPA Top Security Threat List

• Top 10 Security Threats for 2016.

7


Overview of “Operation Banking Malware Takedown”

8


Operation Banking Malware Takedown

9http://www.keishicho.metro.tokyo.jp/haiteku/haiteku/haiteku504.htm



10

Victim PC

C&C ServerMPD

Distribution

Bank web server Threat Disabled

MPD : Metropolitan Police Department


The target is

“VAWTRAK”

11https://www.flickr.com/photos/arenamontanus/2125942630

*Other name Neverquest, Snifula


VAWTRAK

12


What’s VAWTRAK

• VAWTRAK has been around in Japan since 2014.• Rewrites MITB communication content

– Browser injection process. (IE, Firefox, Chrome)• Executes the following during Internet Banking

– Falsifies banking credential information– Semi-automatic fraudulent money transfer

13


What’s MITB ?

MITB

Man In The Browser

Browser

VAWTRAK

Victim PC

Injection Rewrite HTMLDummy Screen…etc.

Web server


What’s happened?

15

VAWTRAK

User PC

Registry

infection

Configuration data

C&C server Manipulationserver

BankWeb server


What’s happened?

1616

VAWTRAK

User PC

<html><head>

<title>Internet Banking</title>

Request

Injection<script src=“….”>

Original content


BankWeb server


What’s happened?

17

VAWTRAK

User PC Request malicious JavaScript

Download and execute malicious JavaScript

<html><head>

<title>Internet Banking</title><script src=“….”>


BankWeb server


What’s happened?

1818

VAWTRAK

User PC

Code number

送信

User accountinginformation

*******


BankWeb server



19

http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 20

A chance for collaboration


Semi-automatic remittance fraud

21

ABCダイレクト　メインメニュー

　 Copyright ABC Bank Co.,Ltd All Right Reserved

　　お客様番号

　　ワンタイムパスワード

Fraudulent money transfer procedure is executed from victim PC while users are waiting for progress bar to finish.


Request flow

22

Victim PC

Login

Bank Manipulation server

Login credential info.

Login processLogin screen

Account info screen

Tap balance info Balance info.

Money transfer info & amount of transfer

Money Transfer process

Progress B

ar

Display some input

screen if necessary

http://www.slideshare.net/MasataNishida/avtokyo2014-obsevation-of-vawtrakja


Tried to send to the same request as malicious JavaScript

23

Beneficiary Information

Amount of Transfer (Upper limit / lower limit)


Collaboration with Metropolitan Police Department (MPD)

• Share beneficiary account information with the Metropolitan Police Department (MPD), which SecureBrain collected by researching the Manipulation server

• MPD prevented illegal money transfer by utilizing beneficiary account information.

24

Metropolitan Police Dept. and SecureBrain made a cooperative agreement


Collaboration with Metropolitan Police Department (MPD)

• MPD has a domain of C&C server.• The domain name was obtained using regular procedure.• They watched the communication between VAWTRAK and

the C&C server.• They identified 82,000 victim clients worldwide, with 44,000

clients located in Japan.

25

MPD considered distributing a new “Configuration data” for the takedown.


Technical overview

26

Victim PC

C&C ServerMPD

Distribution

BankWeb server

No longer under threat

Provide neutralization data generation tool.

Get domain and

put under control


Who is in charge of each technology...

Metropolitan Police Department• Obtain control of the C&C server and construct data

distribution server.• Testing

SecureBrain• Development of “Command” and “Configuration data”

generation tool. It uses a decryption technique for VAWTRAK.

• Investigate the type of data required to neutralize VAWTRAK.

27


Development of neutralization technique

28


Feature available for a takedown of VAWTRAK(BOT)

29

C&C Server

Victim PC

Poll the server every minute

When there is an effective communication, it does not

communicate with other C&C servers


Command

Identify the 20 commands.• Configure data• Download and execute file• Shutdown, reboot• Steal Cookie• Steal CertStore• Start and Stop Socks server• Start and Stop VNC server• Update• Registry operations ...etc...

30


Configuration data

31

Replace data for communicate manipulation server

Decrypted Configuration data

Target URL

Malicious code for injection


Component of Configuration data

32

Name Meaning

inject type Type of injection

browser Target browser

pattern match Pattern type to match URL

URL Target URL

string2 Target string

string3 Replace string

string4 Insert string


inject type

Identify the 18 commands.• Close connection• Screen capture• Insert before• Insert after• Replace URL• Replace host• Replace string...etc...

33


browser / pattern

Browser

Internet Explorer

Firefox

Chrome

34

browser

Type Meaning

strstr strstr function

strcmp strcmp function

regexp Regular expression

pattern


Try to check the “Configuration data“ again.


Configuration data

36

Type Meaning

inject type insert before

browser IE, Firefox, chrome

URL Target URL(Regular expression)


string3 -

string4 JavaScript for Injection


Configuration data

37

種別意味inject type replace URL

browser IE, Firefox, chrome

URL Target URL


string3 URL for replace

string4 -


About generation tool

• Execution check environment– Linux OS– Python 2.7.x

• Tool generates the binary data which VAWTRAK can read as input in Command and Configuration

• Because the output data is delivered by the C&C server and read by VAWTRAK, its configuration is renewed.

38


Generating flow of Configuration data

39

Encryption process (XOR)

Raw configure data (JSON format)

CRC32 from raw configure data

Compression process (aPLib)

Encrypted configure data (Binary)


Demo

• Control of VAWTRAK

40


Experiment sandbox environment

41

DummyC&C Server

Mac OSX

VM Ware

Victim PC

Internet

Host machine Mac OSX 10.10

Dummy C&C Ruby 2.0 + Sinatra

Victim PC Various Windows(After XP)

Browser Internet ExplorerChromeFirefox


The body of neutralization data

42


Effect of the takedown operation

43



Discussion

• Damage by VAWTRAK increased from mid-2013, but decreased after the operation.

• Because the police carried out the operation, it might have had a psychological effect to technically influence the attacker.

• There are some problems. For example, there is the need to obtain the domain beforehand.

44


The Progression of Malware Sophistication

45


Major malware in 2016

46

ROVNIX

URLZONE

VAWTRAK (New)

URSNIF

Other name Cidox

Other name Shiotob, Beblohbd

Other name Neverquest ,Snifula

Other name Gozi

http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. http://www.securebrain.co.jpCopyright© 2016 SecureBrain Corporation, All rights reserved. 47=Malicious JavaScript

ROVNIX

target 30

Group A Group B=Malicious JavaScript

URLZONEVAWTRAK(New)

target 30


The attack method of MITB is almost the same.


What changes ?


Point

• Prevent rewriting malware communication with C&C server– Private key for “Serpent” is encrypted by public key encryption system

RSA-2048.– RONIX sign contents of communication by RSA-2048.

• Malware is updated frequently– Detection by pattern matching becomes more difficult– It can inject even in the latest browsers.

• Various communication methods– Both HTTP and UDP P2P communications are used to get

Configuration data.

• Sophistication of malicious JavaScript

50


不正 JavaScriptの高機能化 (1)

51


Request flow

52

Victim PC

Login

Bank Manipulation server

Login credential info.

Login process

Login Screen

Remittance process

Request of Settlement info.

Dum

my screen of

security software

Settlement info

Display some input screen an necessary


Discussion

53

Prevent rewriting communication.Multiplex of communication channel.Concealed information is processed on the server.

Security for attack activity maintenance is strengthened


Conclusions

54


Conclusions

• It is very important that the police takes the lead in a takedown operation.

• The reaction of the attacker is very quick. We always have to think about new prevention techniques.

• It is difficult to simply apply the ways of this operation to sophisticated malware.

55


Effective takedown operation…

56

https://www.flickr.com/photos/hackaday/4658391708


It is essential for the government, the police, the judiciary, and

the company to cooperate together.

Technology

[CB16] Background Story of "Operation neutralizing banking malware" and highly developed financial malware by Kazuki Takada