Hesperbot - a new banking trojan discovered in-the-wild
In mid-August, we discovered a malware distribution campaign that targeted the Czech Republic. She caught our attention because the malware files were distributed via URLs that are very similar to the addresses of the Czech Post Office. Further analysis of the files showed that we are dealing with banking malware, which is similar in its capabilities to Zeus and SpyEye, but differs from already known families in the technical implementation of its capabilities.
The new Trojan is called Win32 / Spy.Hesperbot and is a powerful tool to steal online banking data. Hesperbot has the following features:
')
In our collection, we discovered several earlier versions of this Trojan program, which we discovered as Win32 / Agent.UXO .
The purpose of the attackers is to obtain the credentials that users use to log into their online banking system account. In addition, the malicious code convinces the user to install their mobile component on a phone running Symbian, Blackberry or Android.
The Czech campaign to spread this malware began on August 8, 2013. To do this, the attackers registered the domain ceskaposta.net, which resembles the website of the Czech Postal Service ceskaposta.cz.
Fig. Date the domain was created.
Fig. The date the file was compiled.
The domain was registered on August 7 of this year, and the first samples of Hesperbot, which were distributed in the Czech Republic, were compiled on the morning of August 8 and later captured by our LiveGrid system.
In addition to the URL, which is very similar to the postal service of the Czech Republic, the attackers used the thematic content of the letters in order to be more convincing. The letter contained information of the postal service on the status of the allegedly sent letter. The names of the files themselves had corresponding names, for example, zasilka.pdf.exe. The word "zasilka" is translated from Czech as "letter." In the message, the attackers used ceskaposta.net address, disguising it as a legitimate ceskaposta.cz.
Fig. The message of the Czech postal service about the scam.
Despite the fact that our attention was attracted by the Czech campaign, the country most affected by the activities of this banking Trojan was Turkey. Hesperbot specimens from Turkey were compiled before August 8th. The last peak of botnet activity was detected in Turkey back in July 2013, besides the older samples are dated April 2013. Some samples of the Trojan program send debug information to the command C & C server, thus the attackers run through its intermediate versions and test their performance.
The campaign, which was carried out by attackers in Turkey, has a similar nature of the Czech attack. The attackers used a similar approach when sending emails that they sent to potential victims. We later discovered that the same approach was used against targeted attacks on users in Portugal and England.
In the course of our research, we stumbled upon an additional component that is used by Win32 / Spy.Hesperbot. This is a malicious code Win32 / Spy.Agent.OEC , which is responsible for collecting email addresses on the infected machine and sending them to a remote server. It is possible that the collected email addresses were then used in malware distribution campaigns.
The configuration files used by the malware when intercepting HTTP traffic tell it which online banking sites should be intercepted. Various botnets specialize in interception of certain sites. Below are the addresses of websites of online banking systems that are tracking malicious code.
Czech
Turkey
Portugal
In the case of Turkish and Portuguese botnets, configuration files include information about web izhektah, ie, portions of HTML-code that malicious code will insert into web pages. No such code was found in the Czech configuration file. This suggests that attackers could use simple keylogger functionality for this purpose.
With the use of the ESET LiveGrid telemetry system, hundreds of cases of user compromise in Turkey, the Czech Republic, the United Kingdom and Portugal have been recorded.
The new Trojan is called Win32 / Spy.Hesperbot and is a powerful tool to steal online banking data. Hesperbot has the following features:
')
- interception of network traffic and HTML injections;
- keylogger;
- creating screenshots of the desktop;
- video capture;
- creating a remote proxy connection;
- create hidden VNC server.
In our collection, we discovered several earlier versions of this Trojan program, which we discovered as Win32 / Agent.UXO .
The purpose of the attackers is to obtain the credentials that users use to log into their online banking system account. In addition, the malicious code convinces the user to install their mobile component on a phone running Symbian, Blackberry or Android.
The Czech campaign to spread this malware began on August 8, 2013. To do this, the attackers registered the domain ceskaposta.net, which resembles the website of the Czech Postal Service ceskaposta.cz.
Fig. Date the domain was created.
Fig. The date the file was compiled.
The domain was registered on August 7 of this year, and the first samples of Hesperbot, which were distributed in the Czech Republic, were compiled on the morning of August 8 and later captured by our LiveGrid system.
In addition to the URL, which is very similar to the postal service of the Czech Republic, the attackers used the thematic content of the letters in order to be more convincing. The letter contained information of the postal service on the status of the allegedly sent letter. The names of the files themselves had corresponding names, for example, zasilka.pdf.exe. The word "zasilka" is translated from Czech as "letter." In the message, the attackers used ceskaposta.net address, disguising it as a legitimate ceskaposta.cz.
Fig. The message of the Czech postal service about the scam.
Despite the fact that our attention was attracted by the Czech campaign, the country most affected by the activities of this banking Trojan was Turkey. Hesperbot specimens from Turkey were compiled before August 8th. The last peak of botnet activity was detected in Turkey back in July 2013, besides the older samples are dated April 2013. Some samples of the Trojan program send debug information to the command C & C server, thus the attackers run through its intermediate versions and test their performance.
The campaign, which was carried out by attackers in Turkey, has a similar nature of the Czech attack. The attackers used a similar approach when sending emails that they sent to potential victims. We later discovered that the same approach was used against targeted attacks on users in Portugal and England.
In the course of our research, we stumbled upon an additional component that is used by Win32 / Spy.Hesperbot. This is a malicious code Win32 / Spy.Agent.OEC , which is responsible for collecting email addresses on the infected machine and sending them to a remote server. It is possible that the collected email addresses were then used in malware distribution campaigns.
The configuration files used by the malware when intercepting HTTP traffic tell it which online banking sites should be intercepted. Various botnets specialize in interception of certain sites. Below are the addresses of websites of online banking systems that are tracking malicious code.
Czech
Turkey
Portugal
In the case of Turkish and Portuguese botnets, configuration files include information about web izhektah, ie, portions of HTML-code that malicious code will insert into web pages. No such code was found in the Czech configuration file. This suggests that attackers could use simple keylogger functionality for this purpose.
With the use of the ESET LiveGrid telemetry system, hundreds of cases of user compromise in Turkey, the Czech Republic, the United Kingdom and Portugal have been recorded.
Source: https://habr.com/ru/post/192684/
All Articles