Hesperbot: analysis of a new
banking trojan
Anton Cherepanov
cherepanov@eset.sk
The Discovery…

• Early testing variants: Turkey – April 2013
(Malware operators probably active even earlier)
• Peak acti...
The beginning of Czech campaign

ZeroNights 2013
Targeted Countries
United
Kingdom

•
•
•
•

tr-botnet
cz-botnet
pt-botnet
uk-botnet

Thailand

Portugal

Rest of
the world...
Win32/Spy.Hesperbot Architecture
Downloadable Modules
• x86 & x64 versions

ZeroNights 2013
Win32/Spy.Hesperbot Dropper

Injects core into explorer.exe

I. Spawn new explorer.exe, patch NtGetContextThread
II. “Powe...
Win32/Spy.Hesperbot Core

• C&C communication (Hard-coded domain + DGA)
• Enumerating SmartCards
• Launch plug-in modules:...
Network Traffic Interception
Intercepting HTTP and HTTPS:
• Form-grabbing
• Web-injects
The following browsers are affecte...
Network Traffic Interception
1. Creates local proxy
2. Hooks mswsock.dll functions
Embedded Certs for HTTPS:
• self-signed...
ZeroNights 2013
Certificate Pinning

ZeroNights 2013
Certificate Pinning

ZeroNights 2013
Bypassing Certificate Verification
Browser process
iexplore.exe
maxthon.exe
avant.exe
sleipnir.exe
webkit2webprocess.exe
b...
Network Traffic Interception

ZeroNights 2013
Example Configuration Files

ZeroNights 2013
Example Configuration Files

ZeroNights 2013
Example Configuration Files

ZeroNights 2013
Example Configuration Files

ZeroNights 2013
ZeroNights 2013
ZeroNights 2013
ZeroNights 2013
Mobile component
• Android
• BlackBerry
• Symbian

ZeroNights 2013
Comparison with Gataka
Web-injects
Supported browsers
Form-grabbing
Video capturing
Keylogger
Modular architecture
Configu...
Conclusion

• New code written from scratch
• Real money stolen
• On-going investigation
• Similar / Reusable web-inject f...
Thank you!

cherepanov@eset.sk
samples@eset.sk

WeLiveSecurity.com
Virusradar.com
Upcoming SlideShare
Loading in …5
×

Anton Cherepanov - Hesperbot

807 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
807
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Anton Cherepanov - Hesperbot

  1. 1. Hesperbot: analysis of a new banking trojan Anton Cherepanov cherepanov@eset.sk
  2. 2. The Discovery… • Early testing variants: Turkey – April 2013 (Malware operators probably active even earlier) • Peak activity in Turkey: July – September 2013 • Czech spreading campaigns: since August 8, 2013 ZeroNights 2013
  3. 3. The beginning of Czech campaign ZeroNights 2013
  4. 4. Targeted Countries United Kingdom • • • • tr-botnet cz-botnet pt-botnet uk-botnet Thailand Portugal Rest of the world + few other test botnets ZeroNights 2013
  5. 5. Win32/Spy.Hesperbot Architecture Downloadable Modules • x86 & x64 versions ZeroNights 2013
  6. 6. Win32/Spy.Hesperbot Dropper Injects core into explorer.exe I. Spawn new explorer.exe, patch NtGetContextThread II. “PowerLoader trick”: Shell_TrayWnd / SetWindowLong / SendNotifyMessage III. Common CreateRemoteThread method ZeroNights 2013
  7. 7. Win32/Spy.Hesperbot Core • C&C communication (Hard-coded domain + DGA) • Enumerating SmartCards • Launch plug-in modules: • socks, keylog, hvnc, sch, nethk, httphk, httpi ZeroNights 2013
  8. 8. Network Traffic Interception Intercepting HTTP and HTTPS: • Form-grabbing • Web-injects The following browsers are affected: • Internet Explorer, Mozilla Firefox, Google Chrome, Opera, Safari, Yandex Browser, SeaMonkey, K-Meleon, Maxthon, Avant Browser, Sleipnir, Deepnet Explorer ZeroNights 2013
  9. 9. Network Traffic Interception 1. Creates local proxy 2. Hooks mswsock.dll functions Embedded Certs for HTTPS: • self-signed certificate ZeroNights 2013
  10. 10. ZeroNights 2013
  11. 11. Certificate Pinning ZeroNights 2013
  12. 12. Certificate Pinning ZeroNights 2013
  13. 13. Bypassing Certificate Verification Browser process iexplore.exe maxthon.exe avant.exe sleipnir.exe webkit2webprocess.exe browser.exe chrome.exe deepnet.exe firefox.exe seamonkey.exe k-meleon.exe Hooked functions opera.exe Function in opera.dll CertVerifyCertificateChainPolicy and CertGetCertificateChain in crypt32.dll CERT_VerifyCertificate, CERT_VerifyCert, CERT_VerifyCertificateNow, CERT_VerifyCertNow and CERT_VerifyCertName in nss3.dll ZeroNights 2013
  14. 14. Network Traffic Interception ZeroNights 2013
  15. 15. Example Configuration Files ZeroNights 2013
  16. 16. Example Configuration Files ZeroNights 2013
  17. 17. Example Configuration Files ZeroNights 2013
  18. 18. Example Configuration Files ZeroNights 2013
  19. 19. ZeroNights 2013
  20. 20. ZeroNights 2013
  21. 21. ZeroNights 2013
  22. 22. Mobile component • Android • BlackBerry • Symbian ZeroNights 2013
  23. 23. Comparison with Gataka Web-injects Supported browsers Form-grabbing Video capturing Keylogger Modular architecture Configuration format C&C communication Remote access Mobile component Price Most targeted Gataka Hesperbot ✔ ✔ IE, Firefox, Chrome, Opera, + some less known Safari ones Via web-injects Through local proxy ✔ ✔ ✔ ✔ ✔ database file XOR encrypted HTTPS VNC VNC ? ✔ ~3300 EUR (Zutick) ? Germany, Netherlands, Turkey, Czech Scandinavia Republic, Portugal ZeroNights 2013
  24. 24. Conclusion • New code written from scratch • Real money stolen • On-going investigation • Similar / Reusable web-inject format • Monitoring botnet activity, tracking new versions… • Strictly localized campaigns ZeroNights 2013
  25. 25. Thank you! cherepanov@eset.sk samples@eset.sk WeLiveSecurity.com Virusradar.com

×