Win32 / Spy.Ranbyus aims to modify the Java code of remote banking systems in Ukraine
Recently, we discovered a new modification of the Win32 / Spy.Ranbyus banking Trojan, which has already been the subject of research by our analysts. One of its modifications was mentioned by Alexander Matrosov in a post dedicated to the exploitation of smart cards in banking Trojans. The modification described there has an interesting functionality, as it shows the possibility of bypassing authentication operations when executing payment transactions using smart card devices. In the same modification, the search code for active smart cards or their readers was found, after finding which the bot sent information about them to the C & C command center with a description of the type of devices found.
ESET analysts closely followed the latest modifications of this Trojan's family and found out that Ranbyus began to specialize in modifying Java code in one of the most popular remote banking systems in Ukraine, namely BIFIT iBank 2 . At the time of our analysis, the statistics of ESET Virus Radar showed that Ukraine had the highest number of Ranbyus infections.
')
A distinctive feature of this banking Trojan is that it does not have a web-injecting mechanism that is commonly used in threats of this kind (such as the well-known Zeus), and instead implements an attack on a specific banking / payment software, i.e. used in the implementation of various kinds of payments and other banking transactions. Win32 / Spy.Ranbyus collects information about the infected system (active processes, OS version, etc.) and sends it to the command server (C & C). The main functionality for stealing money is based on a set of various forms-grabbers, aimed at special payment software. For example, grabbers for software developed for the Java platform look like this:
Java grabber embed code.
Our colleague Alexander Matrosov has already described similar Java patching functionality in another family of banking malware - Carberp. Carberp has special functionality for modifying a Java virtual machine (Java Virtual Machine, JVM) and tracking software activity for making payments. Ranbyus uses a different approach; it modifies Java code only for a specific application, without resorting to modifying the JVM. For example, Ranbyus can modify the location of forms to hide information about fake transactions implemented through a trojan.
Java methods monitored by Ranbyus.
In addition to this, Win32 / Spy.Ranbyus can block the actions of the remote banking system software and display such a message in Russian.
Ranbyus is aimed only at Ukrainian and Russian banks and we did not observe similar attacks in other regions. Panel control center botnet looks like this:
The cybercrime group Carberp is the leader in the criminal market in Russia and has already secured a safe presence in the 20th most active threats in Russia for the entire year. At the same time, Ranbyus occupies a leading position among other banking malware in Ukraine.
ESET analysts closely followed the latest modifications of this Trojan's family and found out that Ranbyus began to specialize in modifying Java code in one of the most popular remote banking systems in Ukraine, namely BIFIT iBank 2 . At the time of our analysis, the statistics of ESET Virus Radar showed that Ukraine had the highest number of Ranbyus infections.
')
A distinctive feature of this banking Trojan is that it does not have a web-injecting mechanism that is commonly used in threats of this kind (such as the well-known Zeus), and instead implements an attack on a specific banking / payment software, i.e. used in the implementation of various kinds of payments and other banking transactions. Win32 / Spy.Ranbyus collects information about the infected system (active processes, OS version, etc.) and sends it to the command server (C & C). The main functionality for stealing money is based on a set of various forms-grabbers, aimed at special payment software. For example, grabbers for software developed for the Java platform look like this:
Java grabber embed code.
Our colleague Alexander Matrosov has already described similar Java patching functionality in another family of banking malware - Carberp. Carberp has special functionality for modifying a Java virtual machine (Java Virtual Machine, JVM) and tracking software activity for making payments. Ranbyus uses a different approach; it modifies Java code only for a specific application, without resorting to modifying the JVM. For example, Ranbyus can modify the location of forms to hide information about fake transactions implemented through a trojan.
Java methods monitored by Ranbyus.
In addition to this, Win32 / Spy.Ranbyus can block the actions of the remote banking system software and display such a message in Russian.
Ranbyus is aimed only at Ukrainian and Russian banks and we did not observe similar attacks in other regions. Panel control center botnet looks like this:
The cybercrime group Carberp is the leader in the criminal market in Russia and has already secured a safe presence in the 20th most active threats in Russia for the entire year. At the same time, Ranbyus occupies a leading position among other banking malware in Ukraine.
Source: https://habr.com/ru/post/169769/
All Articles