Win32 / Theola steals data from online banking systems using Google Chrome browser plugin
Win32 / Theola is a malicious component of the Win32 / Mebroot.FX bootkit family (known since 2007). Malware Theola includes special browser plugins that Mebroot installs for online banking fraudulent transactions. In this post we will talk about the analysis that Alexander Matrosov conducted for these malicious browser plugins, and answer the question: how is the money being stolen while working with the online banking system on an infected machine.
We have seen an increase in the number of cases of detection of these plug-ins since the end of January 2013. The countries in which Theola is most common are the Netherlands, Norway, Italy, Denmark and the Czech Republic. Statistics ESET Virus Radar shows the regions in which the prevalence of Theola infections is obvious, statistics for the week at the time of the study.
Fig. Regions most active Win32 / Theola.
')
Returning to Win32 / Mebroot.FX , we want to remind you that this bootkit uses typical methods of infecting the MBR, using a malicious int13 handler used to gain access to the sectors of the hard disk. Malicious components in this case are loaded in the following order:
Chrome plugin
ESET detects a malicious plugin for Google Chrome as Win32 / Theola.F . This plugin is based on the NPAPI interface ( Netscape Plugin Application Programming Interface ) and has its own module packaged using the CRX format ( CRX Package Format ). The CRX container contains the following manifest file:
The most interesting line in the manifest file is “permissions” [permissions]. With the help of it describes the actions allowed for execution for this plugin. This set of access rights is sufficient to allow fraudsters to perform malicious operations. Win32 / Theola is loaded into the Google Chrome browser as shown below:
After deobfuscation, we will see that the first JavaScript method loads its own module as a default browser plugin.
This JavaScript module modifies a special POST method for all web forms on a loaded web page. Also, this module makes visible the fields for entering a password, using the ability to record video to capture an image from the desktop and then send it to the attacker's server; Obviously, this is a very original method of stealing passwords.
The plugin loaded into the browser looks on the extension panel as follows:
The NP_GetEntryPoints () function initiates the process of loading the plug-in and receives pointers to other functions necessary for the plug-in to work in the browser. The decompiled NP_GetEntryPoints () code is shown below.
The screenshot below shows the restored virtual methods table (vtable), which shows the main functionality of the Win32 / Theola malicious code; it also has video recording functions that are based on the x264 open source library for recording MPEG video.
When the plugin is already running, the addListners () function loads the javascript code to track web activity on the infected machine.
The JavaScript code for working with URLs is presented below.
The beforeNavigate () method.
If the malicious code detects activity on the online banking webpage, it sends all sensitive information (passwords, credit card numbers, etc.) over a special named channel. The name of this channel is generated by the following algorithm:
The interaction of the plug-in with the kernel mode module and other user-mode modules is implemented using special named pipe handlers. Each such handler is responsible for executing a certain type of event.
Conclusion
Google Chrome browser is one of the most popular in the world, and its popularity among the authors of malicious code is also increasing. Win32 / Theola implements its malicious module as a plugin to the Chrome browser. In fact, this method is quite an effective method for complicating detection, because the plugin uses only documented APIs to manage web activity. These documented APIs are an adequate way to work with sensitive data that is entered into web forms. A large number of banking malware uses user-mode API intercepts to gain control over network traffic, but unlike them, Win32 / Theola uses legitimate and documented methods that are also effective, but make it possible to bypass the scan from an antivirus program much better.
We have seen an increase in the number of cases of detection of these plug-ins since the end of January 2013. The countries in which Theola is most common are the Netherlands, Norway, Italy, Denmark and the Czech Republic. Statistics ESET Virus Radar shows the regions in which the prevalence of Theola infections is obvious, statistics for the week at the time of the study.
Fig. Regions most active Win32 / Theola.
')
Returning to Win32 / Mebroot.FX , we want to remind you that this bootkit uses typical methods of infecting the MBR, using a malicious int13 handler used to gain access to the sectors of the hard disk. Malicious components in this case are loaded in the following order:
Chrome plugin
ESET detects a malicious plugin for Google Chrome as Win32 / Theola.F . This plugin is based on the NPAPI interface ( Netscape Plugin Application Programming Interface ) and has its own module packaged using the CRX format ( CRX Package Format ). The CRX container contains the following manifest file:
The most interesting line in the manifest file is “permissions” [permissions]. With the help of it describes the actions allowed for execution for this plugin. This set of access rights is sufficient to allow fraudsters to perform malicious operations. Win32 / Theola is loaded into the Google Chrome browser as shown below:
After deobfuscation, we will see that the first JavaScript method loads its own module as a default browser plugin.
This JavaScript module modifies a special POST method for all web forms on a loaded web page. Also, this module makes visible the fields for entering a password, using the ability to record video to capture an image from the desktop and then send it to the attacker's server; Obviously, this is a very original method of stealing passwords.
The plugin loaded into the browser looks on the extension panel as follows:
The NP_GetEntryPoints () function initiates the process of loading the plug-in and receives pointers to other functions necessary for the plug-in to work in the browser. The decompiled NP_GetEntryPoints () code is shown below.
The screenshot below shows the restored virtual methods table (vtable), which shows the main functionality of the Win32 / Theola malicious code; it also has video recording functions that are based on the x264 open source library for recording MPEG video.
When the plugin is already running, the addListners () function loads the javascript code to track web activity on the infected machine.
The JavaScript code for working with URLs is presented below.
The beforeNavigate () method.
If the malicious code detects activity on the online banking webpage, it sends all sensitive information (passwords, credit card numbers, etc.) over a special named channel. The name of this channel is generated by the following algorithm:
The interaction of the plug-in with the kernel mode module and other user-mode modules is implemented using special named pipe handlers. Each such handler is responsible for executing a certain type of event.
Conclusion
Google Chrome browser is one of the most popular in the world, and its popularity among the authors of malicious code is also increasing. Win32 / Theola implements its malicious module as a plugin to the Chrome browser. In fact, this method is quite an effective method for complicating detection, because the plugin uses only documented APIs to manage web activity. These documented APIs are an adequate way to work with sensitive data that is entered into web forms. A large number of banking malware uses user-mode API intercepts to gain control over network traffic, but unlike them, Win32 / Theola uses legitimate and documented methods that are also effective, but make it possible to bypass the scan from an antivirus program much better.
Source: https://habr.com/ru/post/172917/
All Articles