Since the end of last year, we have begun monitoring a new malicious campaign to spread a banking Trojan. The attackers focused on compromising Russian companies, i.e. corporate users. The malicious campaign was active for at least a year, and in addition to the banking Trojan, the attackers resorted to using various other software tools. These include a special bootloader packaged using , and spyware that is disguised as the well-known legitimate Yandex Punto software. As soon as the attackers managed to compromise the victim's computer, they install a backdoor there, and then a banking Trojan.
For their malware, the attackers used several valid (at the time) digital certificates and special methods to bypass AV products. The malicious campaign was targeted at a large number of Russian banks and is of particular interest because the attackers used methods that are often used in targeted attacks, i.e. attacks not motivated by purely financial fraud. One can note some similarities between this malicious campaign and a major incident that received much publicity earlier. We are talking about a cybercriminal group that used a banking Trojan /.
ΠΠ»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊΠΈ ΡΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π»ΠΈ Π²ΡΠ΅Π΄ΠΎΠ½ΠΎΡΠ½ΠΎΠ΅ ΠΠ ΡΠΎΠ»ΡΠΊΠΎ Π½Π° ΡΠ΅ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΡ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π»ΠΈ ΡΡΡΡΠΊΠΈΠΉ ΡΠ·ΡΠΊ Π² Windows (Π»ΠΎΠΊΠ°Π»ΠΈΠ·Π°ΡΠΈΡ) ΠΏΠΎ ΡΠΌΠΎΠ»ΡΠ°Π½ΠΈΡ. ΠΡΠ½ΠΎΠ²Π½ΡΠΌ Π²Π΅ΠΊΡΠΎΡΠΎΠΌ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½ΠΈΡ ΡΡΠΎΡΠ½Π° Π±ΡΠ» Π΄ΠΎΠΊΡΠΌΠ΅Π½Ρ Word Ρ ΡΠΊΡΠΏΠ»ΠΎΠΉΡΠΎΠΌ , which was sent as an attachment to the document. The screenshots below show the appearance of such fake documents. The first document is entitled βAccount No. 522375-FLORL-14-115.docβ, and the second βkontrakt87.docβ, it is a copy of the contract for the provision of telecommunications services by the mobile operator Megafon.
Rice. 1. Phishing document.
Rice. 2. Another modification of the phishing document.
The following facts indicate that the attackers were targeting Russian business:
- distribution of malicious software using fake documents of the specified subject;
- tactics of attackers and the malicious tools they use;
- links to business applications in some executable modules;
- names of malicious domains that were used in this campaign.
Π‘ΠΏΠ΅ΡΠΈΠ°Π»ΡΠ½ΡΠ΅ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΡΠ΅ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΡ, ΠΊΠΎΡΠΎΡΡΠ΅ Π·Π»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊΠΈ ΡΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°ΡΡ Π² ΡΠΊΠΎΠΌΠΏΡΠΎΠΌΠ΅ΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠ΅, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡ ΠΈΠΌ ΠΏΠΎΠ»ΡΡΠ°ΡΡ ΡΠ΄Π°Π»Π΅Π½Π½ΡΠΉ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π·Π° ΡΠΈΡΡΠ΅ΠΌΠΎΠΉ ΠΈ ΠΎΡΡΠ»Π΅ΠΆΠΈΠ²Π°ΡΡ Π΄Π΅ΡΡΠ΅Π»ΡΠ½ΠΎΡΡΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ. ΠΠ»Ρ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ ΡΡΠΈΡ ΡΡΠ½ΠΊΡΠΈΠΉ ΠΎΠ½ΠΈ ΡΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°ΡΡ Π±ΡΠΊΠ΄ΠΎΡ, Π° ΡΠ°ΠΊΠΆΠ΅ ΠΏΡΡΠ°ΡΡΡΡ ΠΏΠΎΠ»ΡΡΠΈΡΡ ΠΏΠ°ΡΠΎΠ»Ρ ΠΎΡ Π°ΠΊΠΊΠ°ΡΠ½ΡΠ° ΡΡΠ΅ΡΠ½ΠΎΠΉ Π·Π°ΠΏΠΈΡΠΈ Windows ΠΈΠ»ΠΈ ΡΠΎΠ·Π΄Π°ΡΡ Π½ΠΎΠ²ΡΠΉ Π°ΠΊΠΊΠ°ΡΠ½Ρ. ΠΠ»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊΠΈ ΡΠ°ΠΊΠΆΠ΅ ΠΏΡΠΈΠ±Π΅Π³Π°ΡΡ ΠΊ ΡΡΠ»ΡΠ³Π°ΠΌ ΠΊΠ΅ΠΉΠ»ΠΎΠ³Π³Π΅ΡΠ° (ΠΊΠ»Π°Π²ΠΈΠ°ΡΡΡΠ½ΠΎΠ³ΠΎ ΡΠΏΠΈΠΎΠ½Π°), ΠΏΠΎΡ ΠΈΡΠΈΡΠ΅Π»Ρ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΈ ΠΈΠ· Π±ΡΡΠ΅ΡΠ° ΠΎΠ±ΠΌΠ΅Π½Π° Windows (clipboard stealer), Π° ΡΠ°ΠΊΠΆΠ΅ ΡΠΏΠ΅ΡΠΈΠ°Π»ΡΠ½ΠΎΠ³ΠΎ ΠΠ Π΄Π»Ρ ΡΠ°Π±ΠΎΡΡ ΡΠΎ ΡΠΌΠ°ΡΡ-ΠΊΠ°ΡΡΠ°ΠΌΠΈ. ΠΡΠ° Π³ΡΡΠΏΠΏΠ° ΠΏΡΡΠ°Π»Π°ΡΡ ΡΠΊΠΎΠΌΠΏΡΠΎΠΌΠ΅ΡΠΈΡΠΎΠ²Π°ΡΡ ΠΈ Π΄ΡΡΠ³ΠΈΠ΅ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΡ, ΠΊΠΎΡΠΎΡΡΠ΅ Π½Π°Ρ ΠΎΠ΄ΠΈΠ»ΠΈΡΡ Π² ΡΠΎΠΉ ΠΆΠ΅ Π»ΠΎΠΊΠ°Π»ΡΠ½ΠΎΠΉ ΡΠ΅ΡΠΈ ΡΡΠΎ ΠΈ ΠΊΠΎΠΌΠΏΡΡΡΠ΅Ρ ΠΆΠ΅ΡΡΠ²Ρ.
Our ESET LiveGrid telemetry system, which allows you to quickly track malware distribution statistics, provided us with interesting geographical statistics on the distribution of malware used by attackers in the mentioned campaign.
Rice. 3. Statistics on the geographical distribution of the malware that was used in this malicious campaign.
Malware installation
ΠΠΎΡΠ»Π΅ ΠΎΡΠΊΡΡΡΠΈΡ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΌ Π²ΡΠ΅Π΄ΠΎΠ½ΠΎΡΠ½ΠΎΠ³ΠΎ Π΄ΠΎΠΊΡΠΌΠ΅Π½ΡΠ° Ρ ΡΠΊΡΠΏΠ»ΠΎΠΉΡΠΎΠΌ Π½Π° ΡΡΠ·Π²ΠΈΠΌΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠ΅, ΡΡΠ΄Π° Π±ΡΠ΄Π΅Ρ Π·Π°Π³ΡΡΠΆΠ΅Π½ ΠΈ ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ ΡΠΏΠ΅ΡΠΈΠ°Π»ΡΠ½ΡΠΉ Π·Π°Π³ΡΡΠ·ΡΠΈΠΊ (downloader), ΡΠΏΠ°ΠΊΠΎΠ²Π°Π½Π½ΡΠΉ Ρ ΠΏΠΎΠΌΠΎΡΡΡ NSIS. Π Π½Π°ΡΠ°Π»Π΅ ΡΠ²ΠΎΠ΅ΠΉ ΡΠ°Π±ΠΎΡΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ° ΠΏΡΠΎΠ²Π΅ΡΡΠ΅Ρ ΠΎΠΊΡΡΠΆΠ΅Π½ΠΈΠ΅ Windows Π½Π° ΠΏΡΠ΅Π΄ΠΌΠ΅Ρ ΠΏΡΠΈΡΡΡΡΡΠ²ΠΈΡ ΡΠ°ΠΌ ΠΎΡΠ»Π°Π΄ΡΠΈΠΊΠΎΠ² ΠΈΠ»ΠΈ Π·Π°ΠΏΡΡΠΊΠ° Π² ΠΊΠΎΠ½ΡΠ΅ΠΊΡΡΠ΅ Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΠΎΠΉ ΠΌΠ°ΡΠΈΠ½Ρ. ΠΠ½Π° ΡΠ°ΠΊΠΆΠ΅ ΠΏΡΠΎΠ²Π΅ΡΡΠ΅Ρ Π»ΠΎΠΊΠ°Π»ΠΈΠ·Π°ΡΠΈΡ Windows ΠΈ ΠΏΠΎΡΠ΅ΡΠ°Π» Π»ΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π½ΠΈΠΆΠ΅ ΠΏΠ΅ΡΠ΅ΡΠΈΡΠ»Π΅Π½Π½ΡΠ΅ Π² ΡΠ°Π±Π»ΠΈΡΠ΅ URL-Π°Π΄ΡΠ΅ΡΠ° Π² Π±ΡΠ°ΡΠ·Π΅ΡΠ΅. ΠΠ»Ρ ΡΡΠΎΠ³ΠΎ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡΡΡ API FindFirst/NextUrlCacheEntry and the SoftwareMicrosoftInternet ExplorerTypedURLs registry key.
The bootloader checks for the presence of the following applications on the system.
The list of processes is really impressive and, as you can see, there are not only banking applications in it. For example, the executable file named "scardsvr.exe" refers to the smart card software (Microsoft SmartCard reader). The banking trojan itself includes the ability to work with smart cards.
Rice. 4. General scheme of the malware installation process.
Π ΡΠ»ΡΡΠ°Π΅ ΡΡΠΏΠ΅ΡΠ½ΠΎΠ³ΠΎ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π²ΡΠ΅Ρ ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ, Π·Π°Π³ΡΡΠ·ΡΠΈΠΊ ΡΠΊΠ°ΡΠΈΠ²Π°Π΅Ρ Ρ ΡΠ΄Π°Π»Π΅Π½Π½ΠΎΠ³ΠΎ ΡΠ΅ΡΠ²Π΅ΡΠ° ΡΠΏΠ΅ΡΠΈΠ°Π»ΡΠ½ΡΠΉ ΡΠ°ΠΉΠ» (Π°ΡΡ ΠΈΠ²), ΠΊΠΎΡΠΎΡΡΠΉ ΡΠΎΠ΄Π΅ΡΠΆΠΈΡ Π²ΡΠ΅ Π²ΡΠ΅Π΄ΠΎΠ½ΠΎΡΠ½ΡΠ΅ ΠΈΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌΡΠ΅ ΠΌΠΎΠ΄ΡΠ»ΠΈ, ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠ΅ΠΌΡΠ΅ Π·Π»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊΠ°ΠΌΠΈ. ΠΠ½ΡΠ΅ΡΠ΅ΡΠ½ΠΎ ΠΎΡΠΌΠ΅ΡΠΈΡΡ, ΡΡΠΎ Π² Π·Π°Π²ΠΈΡΠΈΠΌΠΎΡΡΠΈ ΠΎΡ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π²ΡΡΠ΅ΠΏΠ΅ΡΠ΅ΡΠΈΡΠ»Π΅Π½Π½ΡΡ ΠΏΡΠΎΠ²Π΅ΡΠΎΠΊ, ΡΠΊΠ°ΡΠΈΠ²Π°Π΅ΠΌΡΠ΅ Ρ ΡΠ΄Π°Π»Π΅Π½Π½ΠΎΠ³ΠΎ C&C-ΡΠ΅ΡΠ²Π΅ΡΠ° Π°ΡΡ ΠΈΠ²Ρ ΠΌΠΎΠ³ΡΡ ΡΠ°Π·Π»ΠΈΡΠ°ΡΡΡΡ. ΠΡΡ ΠΈΠ² ΠΌΠΎΠΆΠ΅Ρ Π±ΡΡΡ Π²ΡΠ΅Π΄ΠΎΠ½ΠΎΡΠ½ΡΠΉ ΠΈ Π½Π΅Ρ. Π ΡΠ»ΡΡΠ°Π΅ Π½Π΅ Π²ΡΠ΅Π΄ΠΎΠ½ΠΎΡΠ½ΠΎΠ³ΠΎ, ΠΎΠ½ ΡΡΡΠ°Π½Π°Π²Π»ΠΈΠ²Π°Π΅Ρ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Windows Live Toolbar. Π‘ΠΊΠΎΡΠ΅Π΅ Π²ΡΠ΅Π³ΠΎ, Π·Π»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊΠΈ ΠΏΠΎΡΠ»ΠΈ Π½Π° ΠΏΠΎΠ΄ΠΎΠ±Π½ΡΠ΅ ΡΡ ΠΈΡΡΠ΅Π½ΠΈΡ Π΄Π»Ρ ΠΎΠ±ΠΌΠ°Π½Π° Π°Π²ΡΠΎΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΡ ΡΠΈΡΡΠ΅ΠΌ Π°Π½Π°Π»ΠΈΠ·Π° ΡΠ°ΠΉΠ»ΠΎΠ² ΠΈ Π²ΠΈΡΡΡΠ°Π»ΡΠ½ΡΡ ΠΌΠ°ΡΠΈΠ½, Π½Π° ΠΊΠΎΡΠΎΡΡΡ ΠΈΡΠΏΠΎΠ»Π½ΡΡΡΡΡ ΠΏΠΎΠ΄ΠΎΠ·ΡΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ ΡΠ°ΠΉΠ»Ρ.
The file downloaded by the NSIS loader is a 7z archive that contains various malware modules. The figure below shows the entire installation process of this malware and its various modules.
Rice. 5. General scheme of malware operation.
Although the downloaded modules serve different purposes for attackers, they are packaged in the same way and many of them have been signed with valid digital certificates. We found four such certificates that the attackers have been using since the beginning of the campaign. After our complaint, these certificates were revoked. It is interesting to note that all certificates were issued to companies registered in Moscow.
Rice. 6. The digital certificate that was used to sign the malware.
The following table lists the digital certificates that the attackers used in this malicious campaign.
Almost all malicious modules used by attackers have an identical installation procedure. They are self-extracting 7zip archives that are password protected.
Rice. 7. Fragment of the batch file install.cmd.
The batch .cmd file is responsible for installing malware into the system and launching various malicious tools. If the execution requires missing administrator rights, the malicious code uses several methods to obtain them (bypassing UAC). To implement the first method, two executable files named l1.exe and cc1.exe are involved, which specialize in bypassing UAC with a mechanism from source code for Carberp. Another way is based on the exploitation of the CVE-2013-3660 vulnerability. Each malware module that requires privilege escalation contains both a 32-bit and a 64-bit version of the exploit.
During the tracking of this campaign, we analyzed several archives downloaded by the uploader. The contents of the archives varied, i.e. the attackers could adapt the malicious modules for different purposes.
User compromise
ΠΠ°ΠΊ ΠΌΡ ΡΠΏΠΎΠΌΠΈΠ½Π°Π»ΠΈ Π²ΡΡΠ΅, Π·Π»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΡΡ ΡΠΏΠ΅ΡΠΈΠ°Π»ΡΠ½ΡΠ΅ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΡ Π΄Π»Ρ ΠΊΠΎΠΌΠΏΡΠΎΠΌΠ΅ΡΠ°ΡΠΈΠΈ ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠΎΠ² ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ. Π ΡΠ°ΠΊΠΈΠΌ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½ΡΠ°ΠΌ ΠΎΡΠ½ΠΎΡΡΡΡΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ Ρ Π½Π°Π·Π²Π°Π½ΠΈΡΠΌΠΈ ΠΈΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌΡΡ ΡΠ°ΠΉΠ»ΠΎΠ² mimi.exe and xtm.exe. ΠΠ½ΠΈ ΠΏΠΎΠΌΠΎΠ³Π°ΡΡ Π·Π»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊΠ°ΠΌ ΡΡΡΠ°Π½ΠΎΠ²ΠΈΡΡ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π·Π° ΠΊΠΎΠΌΠΏΡΡΡΠ΅ΡΠΎΠΌ ΠΆΠ΅ΡΡΠ²Ρ ΠΈ ΡΠΏΠ΅ΡΠΈΠ°Π»ΠΈΠ·ΠΈΡΡΡΡΡΡ Π½Π° Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠΈ ΡΠ»Π΅Π΄ΡΡΡΠΈΡ Π·Π°Π΄Π°Ρ: ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅/Π²ΠΎΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ ΠΏΠ°ΡΠΎΠ»Π΅ΠΉ ΠΊ Π°ΠΊΠΊΠ°ΡΠ½ΡΠ°ΠΌ ΡΡΠ΅ΡΠ½ΡΡ Π·Π°ΠΏΠΈΡΠ΅ΠΉ Windows, Π²ΠΊΠ»ΡΡΠ΅Π½ΠΈΠ΅ ΡΠ΅ΡΠ²ΠΈΡΠ° RDP, ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ Π½ΠΎΠ²ΠΎΠ³ΠΎ Π°ΠΊΠΊΠ°ΡΠ½ΡΠ° (ΡΡΠ΅ΡΠ½ΠΎΠΉ Π·Π°ΠΏΠΈΡΠΈ) Π² ΠΠ‘.
The executable file mimi.exe includes a modified version of a well-known open source tool . ΠΡΠΎΡ ΠΈΠ½ΡΡΡΡΠΌΠ΅Π½Ρ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΠΏΠΎΠ»ΡΡΠ°ΡΡ ΠΏΠ°ΡΠΎΠ»ΠΈ Π°ΠΊΠΊΠ°ΡΠ½ΡΠΎΠ² ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΉ Windows. ΠΠ»ΠΎΡΠΌΡΡΠ»Π΅Π½Π½ΠΈΠΊΠΈ ΡΠ΄Π°Π»ΠΈΠ»ΠΈ ΠΈΠ· Mimikatz ΡΡ ΡΠ°ΡΡΡ, ΠΊΠΎΡΠΎΡΠ°Ρ ΠΎΡΠ²Π΅ΡΠ°Π΅Ρ Π·Π° Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΠ΅ Ρ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Π΅ΠΌ. ΠΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌΡΠΉ ΠΊΠΎΠ΄ Π±ΡΠ» ΡΠ°ΠΊΠΆΠ΅ ΠΌΠΎΠ΄ΠΈΡΠΈΡΠΈΡΠΎΠ²Π°Π½ ΡΠ°ΠΊΠΈΠΌ ΠΎΠ±ΡΠ°Π·ΠΎΠΌ, ΡΡΠΎΠ±Ρ ΠΏΡΠΈ Π·Π°ΠΏΡΡΠΊΠ΅ Mimikatz Π·Π°ΠΏΡΡΠΊΠ°Π»ΡΡ Ρ ΠΊΠΎΠΌΠ°Π½Π΄Π°ΠΌΠΈ privilege::debug ΠΈ sekurlsa:logonPasswords.
Another executable file, xtm.exe, launches special scripts that turn on the RDP service in the system, try to create a new account in the OS, and also change system settings in such a way as to allow multiple users to simultaneously connect to the compromised computer via RDP. Obviously, these steps are necessary to gain complete control over the compromised system.
Rice. 8. Commands executed by xtm.exe in the system.
Attackers use another executable file called impack.exe, which installs special software on the system. This software is called LiteManager and is used by attackers as a backdoor.
Rice. 9. LiteManager interface.
Once installed on a user's system, LiteManager allows attackers to directly connect to that system and control it remotely. This software has special command-line options for installing it behind the scenes, creating special firewall rules, and running its module. All parameters are used by attackers.
The last module of the malware bundle used by the attackers is a banking malware (banker) with the executable file name pn_pack.exe. She specializes in spying on the user and is responsible for interacting with the controlling C&C server. The banker is launched using legitimate Yandex Punto software. Punto is used by attackers to launch a malicious DLL library (DLL Side-Loading method). The malware itself can perform the following functions:
- track keystrokes on the keyboard and the contents of the clipboard for their subsequent transfer to a remote server;
- list all smart cards that are present in the system;
- interact with a remote C&C server.
The malware module that is responsible for performing all these tasks is an encrypted DLL. It is decrypted and loaded into memory during Punto execution. To perform the above tasks, the executable DLL code starts three threads.
The fact that the attackers chose the Punto software for their purposes is not a surprise: some Russian forums openly provide detailed information on such a topic as using flaws in legitimate software to compromise users.
The malicious library uses the RC4 algorithm to encrypt its strings, as well as during network interaction with the C&C server. It contacts the server every two minutes and transfers there all the data that was collected on the compromised system during this period of time.
Rice. 10. A fragment of the network interaction between the bot and the server.
The following are some of the C&C server instructions that the library can receive.
In response to receiving instructions from the C&C server, the malware responds with a status code. It is interesting to note that all of the banker modules we have analyzed (the most recent with a compilation date of January 18th) contain the string "TEST_BOTNET" that is sent in every message to the C&C server.
Conclusion
In order to compromise corporate users, attackers at the first stage compromise one employee of the company by sending a phishing message with an exploit. Further, as soon as the malware is installed in the system, they will use software tools that will help them significantly increase the authority in the system and perform additional tasks on it: compromise other computers on the corporate network and spy on the user, as well as on bank transactions that he performs.
Source: habr.com
