KINS family is targeting specific Italian bank users with ATSEngine, with capability to dynamic inject a code in the victims browser and managing the “drops” in full automatic way.
Cybercriminal in Brazil shares mobile credit card store app
RSA agents recently traced a threat actor advertising a mobile credit card store application. The cybercriminal shared the information on his Facebook page, including
methods for using the app and links for downloading it. Besides the obvious purpose of selling compromised credentials, launching the application on a mobile device also prompts requests for user permissions, which can give the application the kind of control over the device that is usually associated with malicious malware applications
The Unified Payment Interface (UPI) is one of the revolutionary measures taken by the Indian Government to ease the system of making payments.So Axis Pay UPI is an app that is accessible from smartphones for the purpose of receiving or sending money. You can simply download it either on your android phone or iphone.Know more about Axis pay at: https://www.axisbank.com/axispay-upi-app
Another compromised hostname “https://xxx.com” is acting like drop-zone for stolen data from eight different Italian banks. The analysis of this drop-zone reveal a custom web application focused for info stealing. They steal a credit card details from the infected users using a phishing attack.
Cybercriminal in Brazil shares mobile credit card store app
RSA agents recently traced a threat actor advertising a mobile credit card store application. The cybercriminal shared the information on his Facebook page, including
methods for using the app and links for downloading it. Besides the obvious purpose of selling compromised credentials, launching the application on a mobile device also prompts requests for user permissions, which can give the application the kind of control over the device that is usually associated with malicious malware applications
The Unified Payment Interface (UPI) is one of the revolutionary measures taken by the Indian Government to ease the system of making payments.So Axis Pay UPI is an app that is accessible from smartphones for the purpose of receiving or sending money. You can simply download it either on your android phone or iphone.Know more about Axis pay at: https://www.axisbank.com/axispay-upi-app
Another compromised hostname “https://xxx.com” is acting like drop-zone for stolen data from eight different Italian banks. The analysis of this drop-zone reveal a custom web application focused for info stealing. They steal a credit card details from the infected users using a phishing attack.
IRJET-Content based approach for Detection of Phishing SitesIRJET Journal
Anjali Gupta, Juili Joshi, Khyati Thakker, Chitra bhole "Content based approach for Detection of Phishing Sites", International Research Journal of Engineering and Technology (IRJET), Volume2,issue-01 April 2015.e-ISSN:2395-0056, p-ISSN:2395-0072. www.irjet.net
Abstract
Phishing is a significant problem involving fraudulent email and web sites that trick unsuspecting users into revealing private information. In this paper, we present the design, implementation, and evaluation of content-based approach to detecting phishing web sites. We also discuss the design and evaluation of several heuristics we developed to reduce false positives. Our experiments show that CANTINA is good at detecting phishing sites, correctly labeling approximately 95% of phishing sites.We are going to implement Revelation of Masquerade Attacks: A Content-Based Approach to Detecting Phishing Web Sites using PHP & MYSQL.Our system will crawl the original site of bank and it will retrieve all URL’s, location of bank’s server and whois information. If user get any email with phishing attack link. Then our system will take that url as input and crawl the link, retrieve all url’s and system will compare these url’s with original banks url database, try to find url’s are similar or not. Then system will find location of Phishing link URL and compare location with original banks location. After that system will find out Whois information of URL.System will analyze the information and show the results to the user.
MEMO[date][Your name and course numbersection][AbramMartino96
MEMO
[date]
[Your name and course number/section]
[Opening Salutation]:
Overview
In this section, provide a brief overview to establish the purpose of your memorandum. You should introduce the topics in Parts 1, 2, and 3, below. Remember that you are writing to your immediate boss to help her address the CEO’s concerns over recent cybersecurity attacks against the transportation sector. Additionally, your boss has provided you with the results of a recent pen testing engagement performed by a third party on behalf of Mercury USA.
Part 1: Vulnerability Management (VM) Process Recommendation
In this section,present a recommended VM process for Mercury USA. Highlight the major VM process components as you learned in your studies. Explain how your recommendation meets the business needs of Mercury USA. Consider the transportation sector and the overall scenario in context. The text and questions below represent specifics to focus on while writing the memorandum. Do not include the specific text of the questions in your final submission.
· What are the main elements of a VM process, tailored to Mercury USA and the transportation sector?
· How will you plan for and define the scope of a VM process?
· How will you identify the assets involved?
· How will you scan and assess vulnerabilities?
· What is/are the industry standard scanning tools? Support your findings.
· What frequency of scanning do you recommend and why?
· How will you report the results of scanning and recommended countermeasures?
Part 2: Vulnerability Scanning Tool Evaluation and Recommendations
After performing an analysis of the vulnerability report provided by the third-party penetration testers, present your evaluation of the tool and your recommendations here. The text and questions below represent the specifics to focus on while writing your memorandum. Do not include the specific text of the questions in your final submission.
· Identify the scanner used to produce the report. Is the tool open source or commercial? Do you consider the tool to be industry standard?
· What are some advantages to using the tool? Disadvantages?
· What is your overall impression of the tool’s output?
· Does the tool provide enough reporting detail for you as the analyst to focus on the correct vulnerabilities? Can you appropriately discern the most critical vulnerabilities?
· Do you think mitigations for the vulnerabilities are adequately covered in the report?
· Do you think the reports are suitable for management? Explain why or why not.
· Would you distribute the report automatically? Explain why or why not.
· Would you recommend that Mercury USA use the tool? Explain why or why not.
Part 3: Business Case Example
In this section, provide an example of what could happen if Mercury USA does not implement your recommendations for a VM process (e.g., data exfiltration, hacker intrusions, ransomware, etc.). The text and questions below represent the specifics to focus on while writing y ...
Cybercrime: A threat to Financial industryAmmar WK
Cybercrime to Financial Services, aimed at taking over customer transactions and online banking sessions, also
attacks against the financial institutions
themselves.
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
call for paper 2012, hard copy of journal, research paper publishing, where to publish research paper,
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals
Is Your API Being Abused – And Would You Even Notice If It Was?Nordic APIs
APIs are a wonderful thing and bring many benefits, but by their very nature they are also a window into how your business operates. If someone can exploit your system for gain, they will.
This presentation will give multiple real examples of API abuse in the wild, via methods such as data scraping, service misuse/cheating, unauthorized aggregation and fake account creation. How is it done, how are existing API controls bypassed, and what are the business implications?
The audience will learn that API abusers are inventive and they use smart tools. The audience will also learn who some of these API abusers are, and may be surprised by the result. (Spoiler: they can be your customers!)
Finally, some guidance will be given around what additional access controls can be put in place to ensure API based businesses continue to prosper.
Script based malware detection in online bankingJakub Kałużny
Online banking applications are particularly exposed to malware attacks. In order to prevent stealing from customer accounts, banks have invested in malware detection mechanisms. These programs are not installed on clients’ computers but rather implemented server-side or by including some JavaScript code on protected websites. We have tested such solutions which are using different detection methods. To name a few:
behavioral patterns,
web injects signatures,
user input analysis.
Our research points out clearly that even products sold as a „100% malware proof solutions” have serious implementation errors and it is only a matter of time when malware creators start targeting their guns against these vulnerabilities, effectively bypassing or abusing these countermeasures. Is it a road to failure or is there still time to improve these solutions? In this document we present security analysis of those solutions from attacker point of view and recommendations for improvement.
See also our presentation from Black Hat Asia and Confidence: „Bypassing malware detection mechanisms in online banking„
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Denis Gorchakov
Honeypot is used for botnet analysis, traffic capturing and revealing C&C hostnames. It’s also used for detecting subscribers with infected devices and monitoring malware activities like funds withdrawal and remote control.
You are a network analyst on the fly-away team for the FBIs cyberse.docxadampcarr67227
You are a network analyst on the fly-away team for the FBI's cybersecurity sector engagement division. You've been deployed several times to financial institutions to examine their networks after cyberattacks, ranging from intrusions and data exfiltration to distributed denial of services to their network supporting customer transaction websites. A representative from the Financial Services Information Sharing and Analysis Center, FS-ISAC, met with your boss, the chief net defense liaison to the financial services sector, about recent reports of intrusions into the networks of banks and their consortium.
He's provided some of the details of the reports in an email. "Millions of files were compromised, and financial officials want to know who entered the networks and what happened to the information. At the same time, the FS-ISAC has seen extensive distributed denial of service disrupting the bank's networks, impacting the customer websites, and blocking millions of dollars of potential transactions," his email reads.
You realize that the impact from these attacks could cause the downfall of many banks and ultimately create a strain on the US economy. In the email, your chief asks you to travel to one of the banks and using your suite of network monitoring and intrusion detection tools, produce two documents—a report to the FBI and FS-ISAC that contains the information you observed on the network and a joint network defense bulletin to all the banks in the FS-ISAC consortium, recommending prevention methods and remediation against the types of malicious traffic activity that they may face or are facing.
Network traffic analysis and monitoring help to distinguish legitimate traffic from malicious traffic. Network administrators must protect networks from intrusions. This can be done using tools and techniques that use past traffic data to determine what should be allowed and what should be blocked. In the face of constantly evolving threats to networks, network administrators must ensure their intrusion detection and prevention systems are able to analyze, monitor, and even prevent these advanced threats.
In this project, you will research network intrusion and prevention systems and understand their use in a network environment. You will also use monitoring and analysis technologies in the Workspace to compile a Malicious Network Activity Report for financial institutions and a Joint Network Defense Bulletin for a financial services consortium.
The following are the deliverables for this project:
Deliverables
•Malicious Network Activity Report: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
•Joint Network Defense Bulletin: A one- to two-page double-spaced document.
Step 1: Create a Network Architecture Overview
You travel to the various bank locations and gain access to their networks. However, yo.
During the past decade e banking has emerged with enormous speed The use of e banking and the application of e banking is now enormous these days But the modern banking completely relies on internet and computer technology, the threats and the chances of breaching the security has also increased We are totally dependent on the internet to carry out the transactions and the daily routines in the banks Thus there is the immense need of increasing the security in the banking field We have developed the system in which we have developed a secure banking system We are using Finger print authentication device and the GSM module to carry out the functionalities of the system Bilal Hussain Ch | Subayyal "Secure E-Banking Using Bioinformatics" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-6 , October 2018, URL: http://www.ijtsrd.com/papers/ijtsrd18455.pdf
INTRODUCTION
In the past we managed to analyse all well knows malwares and theirs C&C servers. We saw a “Kins” malware with unique “ATS” engine acting like real electronic web banking application in auto pilot mode (1). We all know how easy is to go underground and to buy a malware kits with MitB (2) add-ons for well-known electronic banking web applications and also to order a custom one. These injectors are main weapon used from bad guys for the electronic banking application where 2-factor authentication “Tokens” is implemented.
More Related Content
Similar to Kins origin malware with unique ATSEngine.
IRJET-Content based approach for Detection of Phishing SitesIRJET Journal
Anjali Gupta, Juili Joshi, Khyati Thakker, Chitra bhole "Content based approach for Detection of Phishing Sites", International Research Journal of Engineering and Technology (IRJET), Volume2,issue-01 April 2015.e-ISSN:2395-0056, p-ISSN:2395-0072. www.irjet.net
Abstract
Phishing is a significant problem involving fraudulent email and web sites that trick unsuspecting users into revealing private information. In this paper, we present the design, implementation, and evaluation of content-based approach to detecting phishing web sites. We also discuss the design and evaluation of several heuristics we developed to reduce false positives. Our experiments show that CANTINA is good at detecting phishing sites, correctly labeling approximately 95% of phishing sites.We are going to implement Revelation of Masquerade Attacks: A Content-Based Approach to Detecting Phishing Web Sites using PHP & MYSQL.Our system will crawl the original site of bank and it will retrieve all URL’s, location of bank’s server and whois information. If user get any email with phishing attack link. Then our system will take that url as input and crawl the link, retrieve all url’s and system will compare these url’s with original banks url database, try to find url’s are similar or not. Then system will find location of Phishing link URL and compare location with original banks location. After that system will find out Whois information of URL.System will analyze the information and show the results to the user.
MEMO[date][Your name and course numbersection][AbramMartino96
MEMO
[date]
[Your name and course number/section]
[Opening Salutation]:
Overview
In this section, provide a brief overview to establish the purpose of your memorandum. You should introduce the topics in Parts 1, 2, and 3, below. Remember that you are writing to your immediate boss to help her address the CEO’s concerns over recent cybersecurity attacks against the transportation sector. Additionally, your boss has provided you with the results of a recent pen testing engagement performed by a third party on behalf of Mercury USA.
Part 1: Vulnerability Management (VM) Process Recommendation
In this section,present a recommended VM process for Mercury USA. Highlight the major VM process components as you learned in your studies. Explain how your recommendation meets the business needs of Mercury USA. Consider the transportation sector and the overall scenario in context. The text and questions below represent specifics to focus on while writing the memorandum. Do not include the specific text of the questions in your final submission.
· What are the main elements of a VM process, tailored to Mercury USA and the transportation sector?
· How will you plan for and define the scope of a VM process?
· How will you identify the assets involved?
· How will you scan and assess vulnerabilities?
· What is/are the industry standard scanning tools? Support your findings.
· What frequency of scanning do you recommend and why?
· How will you report the results of scanning and recommended countermeasures?
Part 2: Vulnerability Scanning Tool Evaluation and Recommendations
After performing an analysis of the vulnerability report provided by the third-party penetration testers, present your evaluation of the tool and your recommendations here. The text and questions below represent the specifics to focus on while writing your memorandum. Do not include the specific text of the questions in your final submission.
· Identify the scanner used to produce the report. Is the tool open source or commercial? Do you consider the tool to be industry standard?
· What are some advantages to using the tool? Disadvantages?
· What is your overall impression of the tool’s output?
· Does the tool provide enough reporting detail for you as the analyst to focus on the correct vulnerabilities? Can you appropriately discern the most critical vulnerabilities?
· Do you think mitigations for the vulnerabilities are adequately covered in the report?
· Do you think the reports are suitable for management? Explain why or why not.
· Would you distribute the report automatically? Explain why or why not.
· Would you recommend that Mercury USA use the tool? Explain why or why not.
Part 3: Business Case Example
In this section, provide an example of what could happen if Mercury USA does not implement your recommendations for a VM process (e.g., data exfiltration, hacker intrusions, ransomware, etc.). The text and questions below represent the specifics to focus on while writing y ...
Cybercrime: A threat to Financial industryAmmar WK
Cybercrime to Financial Services, aimed at taking over customer transactions and online banking sessions, also
attacks against the financial institutions
themselves.
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
call for paper 2012, hard copy of journal, research paper publishing, where to publish research paper,
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals
Is Your API Being Abused – And Would You Even Notice If It Was?Nordic APIs
APIs are a wonderful thing and bring many benefits, but by their very nature they are also a window into how your business operates. If someone can exploit your system for gain, they will.
This presentation will give multiple real examples of API abuse in the wild, via methods such as data scraping, service misuse/cheating, unauthorized aggregation and fake account creation. How is it done, how are existing API controls bypassed, and what are the business implications?
The audience will learn that API abusers are inventive and they use smart tools. The audience will also learn who some of these API abusers are, and may be surprised by the result. (Spoiler: they can be your customers!)
Finally, some guidance will be given around what additional access controls can be put in place to ensure API based businesses continue to prosper.
Script based malware detection in online bankingJakub Kałużny
Online banking applications are particularly exposed to malware attacks. In order to prevent stealing from customer accounts, banks have invested in malware detection mechanisms. These programs are not installed on clients’ computers but rather implemented server-side or by including some JavaScript code on protected websites. We have tested such solutions which are using different detection methods. To name a few:
behavioral patterns,
web injects signatures,
user input analysis.
Our research points out clearly that even products sold as a „100% malware proof solutions” have serious implementation errors and it is only a matter of time when malware creators start targeting their guns against these vulnerabilities, effectively bypassing or abusing these countermeasures. Is it a road to failure or is there still time to improve these solutions? In this document we present security analysis of those solutions from attacker point of view and recommendations for improvement.
See also our presentation from Black Hat Asia and Confidence: „Bypassing malware detection mechanisms in online banking„
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Denis Gorchakov
Honeypot is used for botnet analysis, traffic capturing and revealing C&C hostnames. It’s also used for detecting subscribers with infected devices and monitoring malware activities like funds withdrawal and remote control.
You are a network analyst on the fly-away team for the FBIs cyberse.docxadampcarr67227
You are a network analyst on the fly-away team for the FBI's cybersecurity sector engagement division. You've been deployed several times to financial institutions to examine their networks after cyberattacks, ranging from intrusions and data exfiltration to distributed denial of services to their network supporting customer transaction websites. A representative from the Financial Services Information Sharing and Analysis Center, FS-ISAC, met with your boss, the chief net defense liaison to the financial services sector, about recent reports of intrusions into the networks of banks and their consortium.
He's provided some of the details of the reports in an email. "Millions of files were compromised, and financial officials want to know who entered the networks and what happened to the information. At the same time, the FS-ISAC has seen extensive distributed denial of service disrupting the bank's networks, impacting the customer websites, and blocking millions of dollars of potential transactions," his email reads.
You realize that the impact from these attacks could cause the downfall of many banks and ultimately create a strain on the US economy. In the email, your chief asks you to travel to one of the banks and using your suite of network monitoring and intrusion detection tools, produce two documents—a report to the FBI and FS-ISAC that contains the information you observed on the network and a joint network defense bulletin to all the banks in the FS-ISAC consortium, recommending prevention methods and remediation against the types of malicious traffic activity that they may face or are facing.
Network traffic analysis and monitoring help to distinguish legitimate traffic from malicious traffic. Network administrators must protect networks from intrusions. This can be done using tools and techniques that use past traffic data to determine what should be allowed and what should be blocked. In the face of constantly evolving threats to networks, network administrators must ensure their intrusion detection and prevention systems are able to analyze, monitor, and even prevent these advanced threats.
In this project, you will research network intrusion and prevention systems and understand their use in a network environment. You will also use monitoring and analysis technologies in the Workspace to compile a Malicious Network Activity Report for financial institutions and a Joint Network Defense Bulletin for a financial services consortium.
The following are the deliverables for this project:
Deliverables
•Malicious Network Activity Report: An eight- to 10-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
•Joint Network Defense Bulletin: A one- to two-page double-spaced document.
Step 1: Create a Network Architecture Overview
You travel to the various bank locations and gain access to their networks. However, yo.
During the past decade e banking has emerged with enormous speed The use of e banking and the application of e banking is now enormous these days But the modern banking completely relies on internet and computer technology, the threats and the chances of breaching the security has also increased We are totally dependent on the internet to carry out the transactions and the daily routines in the banks Thus there is the immense need of increasing the security in the banking field We have developed the system in which we have developed a secure banking system We are using Finger print authentication device and the GSM module to carry out the functionalities of the system Bilal Hussain Ch | Subayyal "Secure E-Banking Using Bioinformatics" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-6 , October 2018, URL: http://www.ijtsrd.com/papers/ijtsrd18455.pdf
Similar to Kins origin malware with unique ATSEngine. (20)
INTRODUCTION
In the past we managed to analyse all well knows malwares and theirs C&C servers. We saw a “Kins” malware with unique “ATS” engine acting like real electronic web banking application in auto pilot mode (1). We all know how easy is to go underground and to buy a malware kits with MitB (2) add-ons for well-known electronic banking web applications and also to order a custom one. These injectors are main weapon used from bad guys for the electronic banking application where 2-factor authentication “Tokens” is implemented.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
1. This
research
article
is
a
short
technical
publication
focused
on
technical
approach
used
from
attackers.
Because
the
attack
campaign
is
“ALIVE”
I
will
not
revel
the
real
IP
addresses
and
the
real
name
of
the
targeted
bank.
Kins origin malware with unique ATSEngine.
Page
1
Kins origin malware with unique ATSEngine.
Targeting
International
Bank
ABSTRACT
Uncovering
a
C&C
server
used
by
hackers
to
control
the
infected
victims.
The
malware
analyses
done
on
victim’s
machines
reveals
that
malware
from
KINS
family
is
targeting
specific
Italian
bank
users
with
ATSEngine,
with
capability
to
dynamic
inject
a
code
in
the
victims
browser
and
managing
the
“drops”
in
full
automatic
way.
The
attack
campaign
is
ongoing
right
now
and
we
recovered
hacked
accounts.
Beside
that
we
reveal
the
“drops”
used
to
collect
the
stolen
money
from
the
customers.
MALWARE INFO
The
malware
analyses
return
these
details.
malware_family "KINS"
malware_family_version "1.0.0.5"
first_seen_timestamp "2014-05-30 15:15:01"
decrypted_config_size "20708"
decrypted_config_md5
"35bf382ea8e1e711c3d548bcfcfc54af"
encrypted_config_md5
"305edd5731692c828290705c5da279a1"
Entry RelatedBinaries
"843046eb1404a49910ab433424d64c6b"
First
sample
details
malware_family "KINS"
malware_family_version "1.0.0.5"
first_seen_timestamp "
2014-05-23 15:15:01"
decrypted_config_size "
20534"
decrypted_config_md5 "
0403cf8dd20db5edd762f1089df1c1ba"
encrypted_config_md5 "
181d3daf422ab2ca76edefe3a4805403"
Entry RelatedBinaries "
8ffe59bc277556ef8b63bf8319bd4c78"
Second
sample
details
entry "Dropzone" "https://37.XX.XX.XX/css/css.php"
entry "Binary" "https://37.XX.XX.XX/css/upd.exe”
Drop-‐Zone
details
entry"Webinject" target "https://www.xxx.xx/xxxx/*"
Web-‐Inject
details
varbname='%BOTID%';"https://XXX.com/XXX.php?q=2">
C&C-‐Server
details
Kins
Malware
Related
researches:
http://threatpost.com/kins-‐banking-‐trojan-‐a-‐successor-‐to-‐citadel
http://www.scmagazine.com/banking-‐trojan-‐kins-‐resembles-‐architecture-‐of-‐zeus-‐targets-‐windows-‐users/article/304236/
https://blogs.rsa.com/is-‐cybercrime-‐ready-‐to-‐crown-‐a-‐new-‐kins-‐inth3wild/
2. This
research
article
is
a
short
technical
publication
focused
on
technical
approach
used
from
attackers.
Because
the
attack
campaign
is
“ALIVE”
I
will
not
revel
the
real
IP
addresses
and
the
real
name
of
the
targeted
bank.
Kins origin malware with unique ATSEngine
Page
2
SERVER INFO
The
server
used
like
C&C
center
to
control
the
“bots”
is
located
in
Russia
with
following
info.
• Domain:
https://xxx.com
• Url:
https://xxx.com/xxx/index.php
• IP
Address:
193.XXX.XX.X
• IP
Location:
Russia
• Reverse
DNS:
XXX
• IP
Blacklist
Check:
Not
Listed
in
Any
Blacklist
• ASN:
XXX
Figure
1:
Network
details
Figure
2:
IP
Geolocation
3. This
research
article
is
a
short
technical
publication
focused
on
technical
approach
used
from
attackers.
Because
the
attack
campaign
is
“ALIVE”
I
will
not
revel
the
real
IP
addresses
and
the
real
name
of
the
targeted
bank.
Kins origin malware with unique ATSEngine.
Page
3
C&C CENTER FUNCTION DETAILS
Behind
the
front-‐end
which
was
password
protected
we
saw
a
slight
different
version
of
ATSEngine
with
capability
to
automate
the
way
of
“drops”
money
transfer
from
the
hacked
victims.
! The
first
page
is
Accounts
where
we
can
see
the
status
of
the
victims
“bots”
with
their
money
balance.
The
statistics
at
right
shows
us
the
grabbed
data,
transferred
money
and
logs.
Also
we
have
the
tab
for
IP
addresses,
login
ID’s
and
BOT
ID’s
of
the
victims.
Figure
3:
C&C
Accounts
! The
second
is
the
DROPS
page,
where
attacker
define
the
“drops”
the
bank
account
where
the
stolen
money
going
to
be
transferred.
Here
we
can
see
the
tabs
for;
Drop
Name,
City,
County,
IBAN
and
memo
about
the
transaction.
The
system
is
automatically
calculates
the
profit
percentage
for
the
person
who
is
receiving
the
stolen
money.
Figure
4:
C&C
Drops
4. This
research
article
is
a
short
technical
publication
focused
on
technical
approach
used
from
attackers.
Because
the
attack
campaign
is
“ALIVE”
I
will
not
revel
the
real
IP
addresses
and
the
real
name
of
the
targeted
bank.
Kins origin malware with unique ATSEngine
Page
4
Figure
5:
C&C
Drops
Details
! At
the
Reports
page
we
can
see
the
logs
received
from
the
victims.
This
shows
us
that
the
Man-‐in
the
middle
browser
attack
is
designed
for
Microsoft
Internet
Explorer
version
8
and
11.
Also
here
the
attacker
can
tract
the
error
logs
with
“View
HTML
Content”
if
the
attack
was
unsuccessful.
Also
here
we
can
see
the
targeted
bank
details.
Figure
6:
C&C
Reports
5. This
research
article
is
a
short
technical
publication
focused
on
technical
approach
used
from
attackers.
Because
the
attack
campaign
is
“ALIVE”
I
will
not
revel
the
real
IP
addresses
and
the
real
name
of
the
targeted
bank.
Kins origin malware with unique ATSEngine.
Page
5
! Here
is
the
content
error
log
of
unsuccessful
attempt.
Figure
7:
C&C
View
HTML
Content
! At
the
Transfers
page
we
can
see
the
successful
“drops”
transvers
made
by
attackers.
Here
we
can
see
that
they
stole
and
transfer
1750.euro
to
defined
IBAN
account.
Figure
8:
C&C
Transfers
! Here
we
can
see
the
“Add
Drop”
form
where
attackers
can
define
a
new
“drop”
with
all
requested
details;
Memo,
IBAN,
Name,
Country,
City,
Transfer
Memo,
Percent
of
Amount,
Min-‐Max
Balance
Limit,
Min-‐Max
Transfer
Limit.
Figure
9:
C&C
Add
Drop
6. This
research
article
is
a
short
technical
publication
focused
on
technical
approach
used
from
attackers.
Because
the
attack
campaign
is
“ALIVE”
I
will
not
revel
the
real
IP
addresses
and
the
real
name
of
the
targeted
bank.
Kins origin malware with unique ATSEngine
Page
6
! Add
Transfers
is
the
killer
option
of
this
version
of
ATSEngine,
here
we
can
create
a
“TASK”
that
will
be
executed
in
the
victims
machine
in
totally
hidden
way
by
transferring
the
money
to
the
predefined
“Drop”
account.
Here
we
can
select
the
victim
from
the
list
and
define
the
date
and
time
when
the
transfer
will
occur,
with
the
amount
of
money
that
malware
will
steal
from
the
victim.
Figure
10:
C&C
Add
Transfers
! The
last
page
is
option
panel
of
the
C&C
Center
where
we
can
define
the
JABBER
communication,
this
is
used
to
monitor
the
C&C
functionality
from
remote
location.
Figure
11:
C&C
Options
CONCLUSIONE
The
version
of
ATSEngine
that
we
hade
a
chance
to
analyze
is
very
powerful
from
the
impact
perspective
making
the
transfers
in
full
automatic
way.
This
is
similar
to
real
web
banking
application
where
you
can
make
transfers
filling
a
simple
form.
STATISTICS
The
attack
is
alive
and
the
amount
of
the
hacked
users
is
increasing
every
day,
so
until
now
we
detect
more
than
15
hacked
accounts
specially
selected
with
high
volume
of
money
on
their
account.
The
attack
is
infecting
1-‐2
user
per
day.
7. This
research
article
is
a
short
technical
publication
focused
on
technical
approach
used
from
attackers.
Because
the
attack
campaign
is
“ALIVE”
I
will
not
revel
the
real
IP
addresses
and
the
real
name
of
the
targeted
bank.
Kins origin malware with unique ATSEngine.
Page
7
ABOUT
Multiple
Certified
ISMS
Professional
with
10-‐year
background
in:
IT
Security,
IDS
and
IPS,
SIEM,
SOC,
Network
Forensics,
Malware
Analyses,
ISMS
and
RISK,
Ethical
Hacking,
Vulnerability
Management,
Anti
Fraud
and
Cyber
Security.
E-‐Mail:
senad.aruc@gmail.com
Blog:
www.senadaruc.com
Twitter:
https://twitter.com/senadaruch
LinkedIn:
https://www.linkedin.com/in/senadaruc