The document discusses Operation Emmental, a cybercrime operation targeting online banking in Switzerland and Austria. It describes the attacker's infrastructure, including DNS servers, command and control servers, hosting servers, and Android and Windows malware. It lists domains involved and notes they were registered by Oleg Makarov. The document examines the legitimate domains impersonated by the malware and the SSL certificate issued to the command and control server hosting banking credentials stolen by the malware.

1. Operation Emmental
David Sancho
FTR team
11/10/2014 Copyright 2014 Trend Micro Inc. 1

2. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

3. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

4. The Way In…
11/10/2014 Copyright 2014 Trend Micro Inc.
2

5. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

6. One more certificate on the list…
11/10/2014 Copyright 2014 Trend Micro Inc.
2

7. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

8. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

9. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

10. But what’s
hhaappppeenniinngg iinn
reality?
11/10/2014 Copyright 2014 Trend Micro Inc.
2

11. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

12. Attacker’s Infrastructure
DNS servers
C&C servers Windows Trojan
Hosting servers
SMS receiver
11/10/2014 Copyright 2014 Trend Micro Inc.
2
Android Trojan

13. Domains involved
 hxxp://security-apps.net/Raiffeisen.apk
 hhxxxxpp::////sseeccuurriittyy--aappppss..bbiizz//RRaaiiffffeeiisseenn..aappkk
 hxxp://tc-zo.ch/security/ZKB.apk
11/10/2014 Copyright 2014 Trend Micro Inc.
2

14. Who registered those?
Oleg Makarov
oleg_makarov555@yahoo.com
11/10/2014 Copyright 2014 Trend Micro Inc.
2

15. Other domains from our friend Oleg
 banking-security.net
 certificate-security.
com
 chromeupd.pw
safe-browser.biz
safe-time.net
security-apps.biz
security-apps.net
11/10/2014 Copyright 2014 Trend Micro Inc.
2
 ffupdate.pw
 ieupdate.pw
sfotware.pw
softwareup.pw

16. openssl s_client –connect
5.39.219.212:443 | openssl x509 -text
DNS:default, DNS:93.171.202.71, DNS:e-finance.postfinance.ch, DNS:banking.bekb.ch,
DNS:cs.directnet.com, DNS:e-banking.gkb.ch, DNS:eb.akb.ch, DNS:ebanking-ch.ubs.com,
DNS:ebanking-ch1.ubs.com, DNS:ebanking-ch2.ubs.com, DNS:ebanking.bkb.ch,
DNS:inba.lukb.ch, DNS:netbanking.bcge.ch, DNS:onba.zkb.ch, DNS:tb.raiffeisendirect.ch,
DNS:www.credit-suisse.com, DNS:credit-suisse.com, DNS:www.onba.ch, DNS:onba.ch,
DNS:www.postfinance.ch, DNS:postfinance.ch, DNS:www.raiffeisen.ch,
DNS:raiffeisen.ch, DNS:www.ubs.com, DDNNSS::uubbss..ccoomm,, DDNNSS::wwwwww..zzkkbb..cchh,, DDNNSS::zzkkbb..cchh,,
DNS:wwwsec.ebanking.zugerkb.ch, DNS:banking.raiffeisen.at,
DNS:online.bankaustria.at, DNS:ebanking.bawagpsk.com, DNS:netbanking.sparkasse.at,
DNS:ebanking.easybank.at, DNS:banking.privatbank.at, DNS:bankaustria.at,
DNS:www.bankaustria.at, DNS:raiffeisen.at, DNS:www.raiffeisen.at, DNS:privatbank.at,
DNS:www.privatbank.at, DNS:sparkasse.at, DNS:www.sparkasse.at, DNS:bawagpsk.com,
DNS:www.bawagpsk.com, DNS:easybank.at, DNS:www.easybank.at, DNS:*.google.com,
DNS:*.android.com, DNS:*.google.de, DNS:*.google.nl, DNS:*.gstatic.com,
DNS:*.youtube.com, DNS:google.com, DNS:youtube.com, DNS:facebook.com,
DNS:*.facebook.com, DNS:gmx.com, DNS:gmx.de, DNS:*.gmx.com, DNS:*.gmx.de,
DNS:*.gmx.ch, DNS:*.gmx.at, DNS:yahoo.com, DNS:www.yahoo.com,
DNS:microsoft.com, DNS:www.microsoft.com, DNS:gmail.com, DNS:paypal.com,
DNS:*.paypal.com, DNS:stats2.bekb.ch, DNS:sdc.credit-suisse.com,
DNS:portal.privatbank.at, DNS:portal.raiffeisen.at, DNS:stat.swedbank.se,
11/10/2014 Copyright 2014 Trend Micro Inc.
2

17. OObbnniilliimm
rid 11/10/2014 Copyright 2014 Trend Micro Inc.
2

18. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

19. 11/10/2014 Copyright 2014 Trend Micro Inc.
2

20. TThhaannkk yyoouu!!