SlideShare a Scribd company logo
1 of 54
Modern malware techniques for attacking
RBS systems in Russia
Aleksandr Matrosov
Eugene Rodionov
Who we are?
 Malware researchers at ESET
     - complex threats analysis
     - development of cleaning tools
     - tracking new malware techniques
     - investigation of cybercrime groups




              http://www.joineset.com/
Agenda

o Cybercrime trends in RBS
o Most prevalent threats and incidents
   Win32/Shiz
   Win32/Hodprot
   Win32/Sheldor
   Win32/RDPdoor
   Win32/Carberp
o Carberp cybercrime group revenue
Overview
2010/11: years of attacks on Russian banks
• number of incidents has more than doubled compared to 2010*


Over 92%* of incidents involve banking trojans

Malware tailored to Russian banks and payment
systems

However!
• Can (and IS) used in other countries as well

        *research report "The Russian cybercrime market in 2010: status and trends”
        http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
Interesting facts about Russian bank fraud

         These guys are still free!
Evolution of RBS trojans




o RBS Trojans 2009-2010:   o RBS Trojans 2011:
     Win32/Shiz (2009)         Multiple updates
     Win32/Carberp             Growing incidents numbers
     Win32/Hodprot             ….
     Win32/Sheldor             Win32/Carberp with Bootkit
     Win32/RDPdoor
Cybercrime landscape (2010)
Cybercrime landscape (2011)
Cybercrime landscape (2011)
Win32/Spy.Shiz
Win32/Spy.Shiz detection statistics by month
Cloud data from Live Grid


                    August 2009 – November 2011
Win32/Spy.Shiz detection statistics by country
Cloud data from Live Grid
Win32/Spy.Shiz: stealing money
Win32/Hodprot
Win32/Hodprot detection statistics by month
Cloud data from Live Grid



                    July 2010 – November 2011
Win32/Hodprot detection statistics by country
Cloud data from Live Grid
Win32/Hodprot: antiforensics

      Main module

                Original sfcfiles.dll
                                        Kernel - driver image




               Loader code


             C&C URLs
Win32/Hodprot: injecting payload
  Winlogon Address                                           Browser Address
       Space                                                     Space
                                                               Setupapi.dll
                                       Assemble    Payload
                                                                Inject Payload

                            Update
                            Payload
     sfcfiles.dll                                                Payload


                                      System Registry
                                                                                 User-mode

                                                                                 Kernel-mode
                                                             Inject   Payload
               Install & Load         Assemble    Payload
                   Driver

                                           sfc.sys
Win32/Hodprot: C&C protocol

          Win32/Hodprot                       C&C Server

                            Send request
                          (bot ID, integer)

                         Reply with updated         Handle
                        modules and image to        Request
                               execute
     Update the bot’s
      modules, run
      downloaded            Send Status
       exeutable            Information
Win32/Sheldor & Win32/RDPdoor
Win32/Sheldor and TeamViewer in action

1.   Request cloud ID
2.   Set cloud ID
3.   Send ID to C&C                        TeamViewer
4.   Malicious connection                     cloud



                     1           2

      infected
                                                4
     computer




                                           Win32/Sheldor
                                 3
     GET                                       C&C
     /getinfo.php?id=414%20034%20883&pwd
     =6655&stat=1
Under the hood: DLL hooking



                         TeamViewer.exe




       TV.dll
    (proxy DLL)



                              TS.dll
                         (original TS.dll)
Malicious DLL call graph
Malicious DLL decompilation


                              Functions for calling
                              from original TS.dll


                              Load original TS.dll




                              Hook functions


                               C&C URL
Sheldor C&C panel
Win32/RDPdoor installation


 infected                                                       Win32/RDPdoor
computer                                                             C&C

                run dropper and send system information
            1


      authentication on C&C and provide Thinsoft BeTwin for installation
                                                                  2


                send status information
            3
Stealing authentication data


1. Install GINA extension DLL
2. Display fake logon screen
3. Capture user name &
   password
4. Send to C&C
Win32/Carberp
Win32/Carberp detections over time in Russia
Cloud data from Live Grid


                   January 2010 – November 2011
Win32/Carberp detection statistics by country
Cloud data from Live Grid
Self-protecting                              Functionality
Bypassing AV-emulators             many calls of rare WinAPI functions

Code injection method              ZwQueueApcThread()
                                   ZwResumeThread()
Unhooking method                   checking first bytes of API function
                                   body and deleting hooks
Command and string encryption      custom encryption algorithm

Bot authentication on C&C          file with authentication data stored on
                                   infected PC
Network communication encryption   base64( RC2(data) )

API function calls obfuscation     custom hash algorithm
Detection of AV hooks              comparison of the first original bytes

Bypassing static AV signatures     appending random junk bytes to
                                   dropped files
Hiding in the system               hooking system functions
                                   bootkit infector (September 2011)
Carberp going deeper since September 2011
Carberp going deeper since September 2011
                             real mode
             Load MBR



                                         real mode
                          Load VBR

                                                          real mode/
                                       Load             protected mode
                                     bootstrap
                                       code
                                                                       real mode/
                                                                     protected mode
                                                      Load
                                                     bootmgr
          Target of
       Rovnix & Carberp
                                                                                        real mode/
                                                                    Load              protected mode
                                                               winload.exe or
                                                               winresume.exe


                                                                                Load kernel
                                                                                  and boot
                                                                                start drivers
Carberp: Infected Partition Layout
o Carberp overwrites bootstrap code of the active
 partition
o The malicious driver is written either:
   before active partition, in case there is enough space
   in the end of the hard drive, otherwise


 MBR   VBR      Bootstrap Code               File System Data

                                                                Before Infecting

                          Compressed                            After Infecting
                             Data

                                                                   Malicious
             Malicious   Bootstrap
 MBR VBR                               File System Data            Unsigned
              Code         Code
                                                                    Driver
               NTFS bootstrap code
                   (15 sectors)
Interesting strings and investigation
Win32/Carberp: money stealing methods


Stealing techniques                        Functionality
Web-injects/Autoloads         inserting the specified JS-code into HTML
(IE, FF, Chrome, Opera)       returned by the online banking site
Backconnect backdoor          loading on request special binary module
(RDP/VNC)                     (RDPdoor, custom VNC client)
Keylogger (based on WinAPI)   recording keyboard events into logfile

ScreenSpy (based on WinAPI)   saving screenshots into logfile

Grabbers (Form, FTP, Pass)    loading on request special binary module

Custom plugins for RBS        binary modules for specified RBS (sber.plug)
Win32/Carberp botnet control panel
C&C with stolen data
Cab-files with stolen data
Stolen data: BS-Client IB system
Stolen data: CyberPlat payment system
Stolen data: iBank IB system
Stolen data: SberBank IB
Stolen data: UkrSibBank IB
References

 “Cybercrime in Russia: Trends and issues”
http://go.eset.com/us/resources/white-papers/CARO_2011.pdf

 “Evolution of Win32/Carberp: going deeper”
http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper

 “Hodprot: Hot to Bot”
http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf




 Follow ESET Threat Blog
http://blog.eset.com
Questions
Thank you for your attention ;)


 Aleksandr Matrosov
 matrosov@eset.sk
 @matrosov


 Eugene Rodionov
 rodionov@eset.sk
 @vxradius

More Related Content

Viewers also liked

Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
Alex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
Alex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Alex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
Alex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
Alex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
Alex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
Alex Matrosov
 

Viewers also liked (20)

Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
42054960
4205496042054960
42054960
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine  by Igor SkochinskySecret of Intel Management Engine  by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 

Similar to Modern malware techniques for attacking RBS systems in Russia

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Positive Hack Days
 
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
DefconRussia
 
Shape12 6
Shape12 6Shape12 6
Shape12 6
pslulli
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
Antiy Labs
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón -  Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón -  Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
RootedCON
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 

Similar to Modern malware techniques for attacking RBS systems in Russia (20)

Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...Matrosov, rodionov   win32 flamer. reverse engineering and framework reconstr...
Matrosov, rodionov win32 flamer. reverse engineering and framework reconstr...
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
 
Shape12 6
Shape12 6Shape12 6
Shape12 6
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Presentation On Com Dcom
Presentation On Com DcomPresentation On Com Dcom
Presentation On Com Dcom
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
 
TRENDnet IP Camera Multiple Vulnerabilities
TRENDnet IP Camera Multiple VulnerabilitiesTRENDnet IP Camera Multiple Vulnerabilities
TRENDnet IP Camera Multiple Vulnerabilities
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 -  Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 -  Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
 
EclipseCon 2011: Deciphering the CDT debugger alphabet soup
EclipseCon 2011: Deciphering the CDT debugger alphabet soupEclipseCon 2011: Deciphering the CDT debugger alphabet soup
EclipseCon 2011: Deciphering the CDT debugger alphabet soup
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón -  Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón -  Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Inception framework
Inception frameworkInception framework
Inception framework
 

Recently uploaded

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
Wonjun Hwang
 

Recently uploaded (20)

الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 

Modern malware techniques for attacking RBS systems in Russia

  • 1. Modern malware techniques for attacking RBS systems in Russia Aleksandr Matrosov Eugene Rodionov
  • 2. Who we are? Malware researchers at ESET - complex threats analysis - development of cleaning tools - tracking new malware techniques - investigation of cybercrime groups http://www.joineset.com/
  • 3. Agenda o Cybercrime trends in RBS o Most prevalent threats and incidents  Win32/Shiz  Win32/Hodprot  Win32/Sheldor  Win32/RDPdoor  Win32/Carberp o Carberp cybercrime group revenue
  • 4. Overview 2010/11: years of attacks on Russian banks • number of incidents has more than doubled compared to 2010* Over 92%* of incidents involve banking trojans Malware tailored to Russian banks and payment systems However! • Can (and IS) used in other countries as well *research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
  • 5.
  • 6. Interesting facts about Russian bank fraud These guys are still free!
  • 7.
  • 8. Evolution of RBS trojans o RBS Trojans 2009-2010: o RBS Trojans 2011:  Win32/Shiz (2009)  Multiple updates  Win32/Carberp  Growing incidents numbers  Win32/Hodprot  ….  Win32/Sheldor  Win32/Carberp with Bootkit  Win32/RDPdoor
  • 12.
  • 14. Win32/Spy.Shiz detection statistics by month Cloud data from Live Grid August 2009 – November 2011
  • 15. Win32/Spy.Shiz detection statistics by country Cloud data from Live Grid
  • 17.
  • 19. Win32/Hodprot detection statistics by month Cloud data from Live Grid July 2010 – November 2011
  • 20. Win32/Hodprot detection statistics by country Cloud data from Live Grid
  • 21. Win32/Hodprot: antiforensics Main module Original sfcfiles.dll Kernel - driver image Loader code C&C URLs
  • 22. Win32/Hodprot: injecting payload Winlogon Address Browser Address Space Space Setupapi.dll Assemble Payload Inject Payload Update Payload sfcfiles.dll Payload System Registry User-mode Kernel-mode Inject Payload Install & Load Assemble Payload Driver sfc.sys
  • 23. Win32/Hodprot: C&C protocol Win32/Hodprot C&C Server Send request (bot ID, integer) Reply with updated Handle modules and image to Request execute Update the bot’s modules, run downloaded Send Status exeutable Information
  • 25. Win32/Sheldor and TeamViewer in action 1. Request cloud ID 2. Set cloud ID 3. Send ID to C&C TeamViewer 4. Malicious connection cloud 1 2 infected 4 computer Win32/Sheldor 3 GET C&C /getinfo.php?id=414%20034%20883&pwd =6655&stat=1
  • 26. Under the hood: DLL hooking TeamViewer.exe TV.dll (proxy DLL) TS.dll (original TS.dll)
  • 28. Malicious DLL decompilation Functions for calling from original TS.dll Load original TS.dll Hook functions C&C URL
  • 30. Win32/RDPdoor installation infected Win32/RDPdoor computer C&C run dropper and send system information 1 authentication on C&C and provide Thinsoft BeTwin for installation 2 send status information 3
  • 31. Stealing authentication data 1. Install GINA extension DLL 2. Display fake logon screen 3. Capture user name & password 4. Send to C&C
  • 33. Win32/Carberp detections over time in Russia Cloud data from Live Grid January 2010 – November 2011
  • 34. Win32/Carberp detection statistics by country Cloud data from Live Grid
  • 35. Self-protecting Functionality Bypassing AV-emulators many calls of rare WinAPI functions Code injection method ZwQueueApcThread() ZwResumeThread() Unhooking method checking first bytes of API function body and deleting hooks Command and string encryption custom encryption algorithm Bot authentication on C&C file with authentication data stored on infected PC Network communication encryption base64( RC2(data) ) API function calls obfuscation custom hash algorithm Detection of AV hooks comparison of the first original bytes Bypassing static AV signatures appending random junk bytes to dropped files Hiding in the system hooking system functions bootkit infector (September 2011)
  • 36. Carberp going deeper since September 2011
  • 37.
  • 38. Carberp going deeper since September 2011 real mode Load MBR real mode Load VBR real mode/ Load protected mode bootstrap code real mode/ protected mode Load bootmgr Target of Rovnix & Carberp real mode/ Load protected mode winload.exe or winresume.exe Load kernel and boot start drivers
  • 39. Carberp: Infected Partition Layout o Carberp overwrites bootstrap code of the active partition o The malicious driver is written either:  before active partition, in case there is enough space  in the end of the hard drive, otherwise MBR VBR Bootstrap Code File System Data Before Infecting Compressed After Infecting Data Malicious Malicious Bootstrap MBR VBR File System Data Unsigned Code Code Driver NTFS bootstrap code (15 sectors)
  • 40.
  • 41. Interesting strings and investigation
  • 42.
  • 43. Win32/Carberp: money stealing methods Stealing techniques Functionality Web-injects/Autoloads inserting the specified JS-code into HTML (IE, FF, Chrome, Opera) returned by the online banking site Backconnect backdoor loading on request special binary module (RDP/VNC) (RDPdoor, custom VNC client) Keylogger (based on WinAPI) recording keyboard events into logfile ScreenSpy (based on WinAPI) saving screenshots into logfile Grabbers (Form, FTP, Pass) loading on request special binary module Custom plugins for RBS binary modules for specified RBS (sber.plug)
  • 48. Stolen data: CyberPlat payment system
  • 49. Stolen data: iBank IB system
  • 52. References  “Cybercrime in Russia: Trends and issues” http://go.eset.com/us/resources/white-papers/CARO_2011.pdf  “Evolution of Win32/Carberp: going deeper” http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper  “Hodprot: Hot to Bot” http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf  Follow ESET Threat Blog http://blog.eset.com
  • 54. Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius