In September, we
reported on a new banking Trojan called
Hesperbot (found as
Win32 / Spy.Hesperbot ). Cybercriminals using this tool are still active, in November new cases of the use of this malware were recorded.
We have already shown that the geographical distribution of infections of this malware is quite localized in several specific countries. Spam campaigns with phishing messages in their native language were used to infect users. As expected, the attackers did not take much time to start targeting new countries. In addition to the four that we have already indicated (Turkey, the Czech Republic, Portugal, and the United Kingdom), in the past month new versions of malicious code were recorded for users in Germany and Australia.
Over the past month, there have been major cases of infections in the Czech Republic, and attackers have also added web injection scripts (web injection) to the configuration files for the Czech botnet. The diagram below shows the distribution of Hesperbot infections by country, which we recorded in November using ESET LiveGrid.
')
Hesperbot has a modular architecture and, through configuration files, allows attackers to target malicious code to new online banking systems. Using this configuration file, specific instructions are given to the malicious code, for example, which URLs the form-taking module (form grabber) should ignore. That is, when meeting such a URL in an HTTP POST request, this module will not perform special actions to steal user data into web forms in order to obtain information about online banking accounts / credit cards and transfer them to attackers. Another address list is used to determine the situations of the video capture module (it can be used as a means of bypassing virtual keyboards and helps the botnet operator to monitor the balance of the victim’s bank account without having to log in to the online banking account). The configuration file also contains web injections, in a format similar to
Zeus and
SpyEye .
The table below shows the URLs of online banking systems that were found in one of the latest configuration files.
Below is the layout of a web form, with which attackers try to lure the victim to install a mobile component.
Next, the user needs to follow the appropriate installation instructions.
Below is the present case of a web injection on the website of a Czech bank.
Note that in the case of Hesperbot, the user continues to observe the https connection icon in the address bar of the browser. More detailed information about the methods used by him for this purpose can be found in our
detailed analysis .
We have already described various Hesperbot modules in our previous analysis. The latest version of the malicious code now uses two new modules. The first is called
gbitcoin and tries to steal the following files:
-% APPDATA% \ Bitcoin \ wallet.dat
-% APPDATA% \ MultiBit \ multibit.wallet
These files are used as Bitcoin repositories and store secret keys for Bitcoin and MultiBit clients. With the current high value of the Bitcoin currency, such a decision to add such a module is quite understandable. Some tips on how to safely use Bitcoins can be found on our
English-language blog , as well as on the
Bitcoin wiki .
The second module added by cybercriminals is even more interesting than the first. The activity of this module is determined by the configuration file Hesperbot. If there are corresponding records in it, the module can perform the following actions:
- Stop all threads in the required process, and also hide all its visible windows.
- Show special messages to the user using the MessageBox function.
- Block network interaction by intercepting the recv , WSARecv , send , WSASend functions from the ws2_32.dll library for a certain time.
Fig. Hesperbot intercepted network functions.
Fig. Hesperbot intercepted network functions.
In this case, the functions being intercepted will return a WSAEACCESS error. To implement the hooks, Hesperbot uses the sch_mod helper module.
So far, we have not been able to detect configuration files that activate this new functionality. The possible purpose of using such handlers is to block the work of individual banking applications on which the Trojan program cannot be managed. This practice can push the user to use the browser's web interface, which has already been compromised by malicious code.
We were able to detect the C & C Hesperbot control panel.
The screenshot above shows the different banks for countries targeted by Hesperbot and the number of successful mobile component installations. As mentioned earlier, cybercriminals lured victims to the mobile component installation page via web-based injection to online banking systems sites. The control panel shown above can provide statistics on Turkish, Australian and German botnets.
Conclusion
The intruders using Hesperbot have been very active lately, so you can expect appropriate financial losses for bank customers. We continue to monitor the activity of Hesperbot and we will keep you informed of further developments.