Win32 / Aibatook Banking Trojan Analysis
The Win32 / Aibatook Trojan has been known since the end of last year and specializes in stealing user data as well as online banking data. The code for the first versions of Aibatook was written in Delphi, then the authors switched to C ++. Our analysts have analyzed one of the versions of this Trojan, which appeared in April 2014. This version has the following features:
As in many other malware infection situations, user compromise begins with a legitimate website that hosts the malicious content. With this content, which is malicious JavaScript or an IFrame, the user is redirected to the malicious webpage of the exploit kit, from which the malware is installed. But instead of using a full-fledged set of exploits, i.e. relying on several exploits to different software to automatically install malware, in the case of Win32 / Aibatook, attackers rely on only one exploit for one particular vulnerability in Oracle Java software. Despite the fact that such a strategy may look like it is not optimal for installing a malicious program, the very similar method is the attacker's focus on users of a particular bank who use Java software.
Starting in mid-April, attackers began using an exploit for the Java vulnerability CVE-2013-2465. To automatically install Win32 / Aibatook, several legitimate websites were compromised by malicious content. Over the past three months, we have identified four of these websites, which are presented below.
')
All four resources are porn sites targeting Japanese audiences. According to Alexa statistics, three of the four sites are on the list of 20 thousand most visited sites in Japan. The resource “mywife.cc” is even included in the list of the first 2 thousand. The image below shows the exploitation process in the case of “ppv.xxxurabi.com” (the other three use a similar infection mechanism).
Fig. The process of infecting a user with a Win32 / Aibatook trojan.
At the first stage, the user visits the ppv.xxxurabi.com web page, which contains a link to the malicious JavaScript file hosted on google.sonovi.com. The script itself, after removing obfuscation from it, has the form.
The script injects the IFRAME element to the 2002.jp exploit kit page, and also sets a cookie named “GOOGLE1”, which will remain on the user's computer for the next 24 hours. This cookie is used as an indicator of system compromise, so its user will no longer be redirected to a set of exploits.
The user is then redirected to the exploit kit page where he can see the following content.
Under certain conditions, a fragment of HTML code that the user should not see will be displayed at the very beginning of the web page. It is marked in blue in the following screenshot with the code for the HTML page.
Then the browser will load and execute a Java applet called “b399.class”. It will also perform a file request with the name “counter.php”. This is probably due to the desire of cybercriminals to limit the number of attempts to install malware per day. This script for counting the number of exploit applications is placed on another compromised resource “ccc.rejec.net”.
At the final stage, the malicious applet exploits the CVE-2013-2465 vulnerability. It uses integer overflow in the Java SE 2D component, which leads to memory corruption in the Abstract Window Toolkit (AWT) code. Such a mechanism that leads to the rewriting of the SecurityManager class code allows the exploit to bypass the limitations of the Java sandbox (sandbox in which Java executes applet byte-code). The exploit then tries to load the payload from the URL that is in the .class file. Next, the payload is stored in the "tar.gif" file and executed. In our case, the payload URL was "xsvx1014274.xsvr.jp".
The following table describes the malicious .class files that are part of the exploit for CVE-2013-2465.
It should be noted that Win32 / Aibatook, at different times, was distributed through other exploits (for example, CVE-2014-0322).
Payload
The main purpose of Win32 / Aibatook are users of Japanese online banking services, as well as some other online services. As we mentioned earlier, the malicious code uses two approaches to implement its functions of stealing confidential data: one of them is used to steal information from two websites, and the other from more than 90 sites for which the universal method is used. In both cases, one approach is used, which is based on the compromise of the Internet Explorer browser.
The malicious program compromises Internet Explorer using the IHTMLDocument2 COM interface, which allows you to read data from a web page and write it there, that is, to modify it. This is done using the following steps.
This method allows attackers to access IE versions 8-11 and is limited because it does not allow working with other browsers. However, according to statistics , Internet Explorer is the most common for Japan. This is another indicator of Win32 / Aibatook targeting Japanese users.
Below will be described two approaches that are used by Win32 / Aibatook to steal the user's personal information.
The first approach is highly specialized and is used to compromise several Internet banking services whose URLs are hardcoded into the malware code. These addresses belong to “Japan Post” and “SBI Sumishin Net Bank” banks. To compromise online banking webpages, Win32 / Aibatook retrieves the URL of the current webpage using the IHTMLDocument2.get_url method. Next, he compares the current address with the URL from his body, as shown in the screenshot below.
It should be noted that the URLs of online banking services, as well as all other lines from the body of the malicious program, are encrypted using a special encryption algorithm. Each encrypted string consists of two parts:
If a user visits one of the above bank URLs, the malware will monitor the user's login to the online banking system based on the title of the page through the IHTMLDocument2.get_title method and its contents via IHTMLDocument2.get_nameProp . Once the login operation has been committed, Aibatook can perform the following two actions:
The hieroglyphs highlighted in red are translated as an urgent request to the user to enter their personal identification number, since the online banking system needs an update (click on the button will simply redirect the user to another page of the online banking system). As soon as Aibatook has access to the user's personal data, it sends it to a remote C & C server using a URL that is hardwired into the body of the malware. This message is an HTTP POST request that contains the stolen data as an argument. Data is encrypted using the same algorithm that was mentioned earlier. Aibatook also sends the MAC address of the computer's network adapter, which will help it identify the victim. Before intercepting data from the Japan Post online banking page, the malicious code can perform the following actions.
The second approach to data theft from online banking sites allows attackers to significantly expand the range of web resources from which information is stolen. This approach is based on the well-known technique of grabbing web page forms, which is to constantly monitor data entry fields in an HTML form. If the form fields meet the necessary conditions, the data entered into them is stolen by malicious code. Aibatook uses a configuration file that loads from a hard-coded URL and points to websites for compromise. The configuration file is encrypted with the algorithm mentioned above. After loading it into memory, the malicious code will store it already in the clear. Part of one of the configuration files is shown below in the screenshot.
As you can see, this file has a certain structure and consists of blocks that are labeled with tags. The file begins with a version block followed by a set of blocks [W], each of which describes the target chosen by the attackers. A block can contain several child blocks.
The logic of the use of this file by a malicious program is as follows: if the URL of the visited webpage victim matches the value from the [CURL] block or its title matches the string of the [CTI] block, then from each field with a name that matches [NAME] or the identifier ID] will be stolen the entered data. The following table shows one such example.
In this example, we can see the Aibatook configuration file with one block [W], the next column is the web page visited by the user, and then the information stolen by the malicious code. This approach to data theft is quite flexible, in particular, some blocks [CURL] and [CTI] remain empty, which helps attackers to navigate to any web page with the names of the input fields that are indicated in it. We calculated statistics on domains targeted by Aibatook when using this method of compromising web pages. 87 domains were discovered, and for some of them it was possible to establish their purpose through the values ​​of the tags [CURL] and [CTI].
Conclusion
The Win32 / Aibatook malware family is aimed at compromising Japanese users. Infection of a user's computer occurs through a special chain of exploitation consisting of redirecting the victim to malicious sites. Aibatook is used by cybercriminals to steal user data through the compromise of Internet Explorer. Two approaches are used for this, the first, more general, is aimed at stealing information from online banking sites of two large Japanese banks, and the second is used to steal data from a large number of web resources of various types.
We have seen the constant development of Win32 / Aibatook code and capabilities over the past few months. In the future, we can expect not only the further evolution of this family, but also its more active use by intruders.
- Malware is distributed through a special chain of operation (a set of malicious scripts), the beginning of which is posted on a compromised website.
- Aibatook targets Internet Explorer only and uses an unusual way to steal user information.
- Two different approaches to the implementation of the logic of theft of personal information. The first of them is specially created against two large Japanese banks, and the second is more flexible and is currently being used against about 90 different Internet services.
As in many other malware infection situations, user compromise begins with a legitimate website that hosts the malicious content. With this content, which is malicious JavaScript or an IFrame, the user is redirected to the malicious webpage of the exploit kit, from which the malware is installed. But instead of using a full-fledged set of exploits, i.e. relying on several exploits to different software to automatically install malware, in the case of Win32 / Aibatook, attackers rely on only one exploit for one particular vulnerability in Oracle Java software. Despite the fact that such a strategy may look like it is not optimal for installing a malicious program, the very similar method is the attacker's focus on users of a particular bank who use Java software.
Starting in mid-April, attackers began using an exploit for the Java vulnerability CVE-2013-2465. To automatically install Win32 / Aibatook, several legitimate websites were compromised by malicious content. Over the past three months, we have identified four of these websites, which are presented below.
')
sokuhabo.net
uravidata.com
ppv.xxxurabi.com
mywife.cc
All four resources are porn sites targeting Japanese audiences. According to Alexa statistics, three of the four sites are on the list of 20 thousand most visited sites in Japan. The resource “mywife.cc” is even included in the list of the first 2 thousand. The image below shows the exploitation process in the case of “ppv.xxxurabi.com” (the other three use a similar infection mechanism).
Fig. The process of infecting a user with a Win32 / Aibatook trojan.
At the first stage, the user visits the ppv.xxxurabi.com web page, which contains a link to the malicious JavaScript file hosted on google.sonovi.com. The script itself, after removing obfuscation from it, has the form.
The script injects the IFRAME element to the 2002.jp exploit kit page, and also sets a cookie named “GOOGLE1”, which will remain on the user's computer for the next 24 hours. This cookie is used as an indicator of system compromise, so its user will no longer be redirected to a set of exploits.
The user is then redirected to the exploit kit page where he can see the following content.
Under certain conditions, a fragment of HTML code that the user should not see will be displayed at the very beginning of the web page. It is marked in blue in the following screenshot with the code for the HTML page.
Then the browser will load and execute a Java applet called “b399.class”. It will also perform a file request with the name “counter.php”. This is probably due to the desire of cybercriminals to limit the number of attempts to install malware per day. This script for counting the number of exploit applications is placed on another compromised resource “ccc.rejec.net”.
At the final stage, the malicious applet exploits the CVE-2013-2465 vulnerability. It uses integer overflow in the Java SE 2D component, which leads to memory corruption in the Abstract Window Toolkit (AWT) code. Such a mechanism that leads to the rewriting of the SecurityManager class code allows the exploit to bypass the limitations of the Java sandbox (sandbox in which Java executes applet byte-code). The exploit then tries to load the payload from the URL that is in the .class file. Next, the payload is stored in the "tar.gif" file and executed. In our case, the payload URL was "xsvx1014274.xsvr.jp".
The following table describes the malicious .class files that are part of the exploit for CVE-2013-2465.
It should be noted that Win32 / Aibatook, at different times, was distributed through other exploits (for example, CVE-2014-0322).
Payload
The main purpose of Win32 / Aibatook are users of Japanese online banking services, as well as some other online services. As we mentioned earlier, the malicious code uses two approaches to implement its functions of stealing confidential data: one of them is used to steal information from two websites, and the other from more than 90 sites for which the universal method is used. In both cases, one approach is used, which is based on the compromise of the Internet Explorer browser.
The malicious program compromises Internet Explorer using the IHTMLDocument2 COM interface, which allows you to read data from a web page and write it there, that is, to modify it. This is done using the following steps.
- Gets a handle to the active user window via the GetCursorPos and WindowFromPoint APIs .
- Checks the class name of the window to match the string "Internet Explorer_Server".
- In the event of a mismatch, the malware execution thread falls asleep for a few seconds and returns to the second check.
- In the case of a match, the documented features of the IHTMLDocument2 interface are used.
This method allows attackers to access IE versions 8-11 and is limited because it does not allow working with other browsers. However, according to statistics , Internet Explorer is the most common for Japan. This is another indicator of Win32 / Aibatook targeting Japanese users.
Below will be described two approaches that are used by Win32 / Aibatook to steal the user's personal information.
The first approach is highly specialized and is used to compromise several Internet banking services whose URLs are hardcoded into the malware code. These addresses belong to “Japan Post” and “SBI Sumishin Net Bank” banks. To compromise online banking webpages, Win32 / Aibatook retrieves the URL of the current webpage using the IHTMLDocument2.get_url method. Next, he compares the current address with the URL from his body, as shown in the screenshot below.
It should be noted that the URLs of online banking services, as well as all other lines from the body of the malicious program, are encrypted using a special encryption algorithm. Each encrypted string consists of two parts:
- The first part is a fixed-length key that looks like a string encoded through base64. The key is encrypted with a XOR operation with a hard-wired value.
- The second part consists of encrypted data, which is first encoded via base64, and why is it encrypted using the key specified in the first paragraph.
If a user visits one of the above bank URLs, the malware will monitor the user's login to the online banking system based on the title of the page through the IHTMLDocument2.get_title method and its contents via IHTMLDocument2.get_nameProp . Once the login operation has been committed, Aibatook can perform the following two actions:
- Get the values ​​entered by the user into the HTML form. That is, get a bunch of login / password from the account.
- Modify the HTML code in the body of the web page that is displayed to the user. Aibatook retrieves web page content via IHTMLDocument2.get_body and modifies it using body.put_innerHTML . Below is an example of a Japan Post online banking web page with a form embedded in a malicious code.
The hieroglyphs highlighted in red are translated as an urgent request to the user to enter their personal identification number, since the online banking system needs an update (click on the button will simply redirect the user to another page of the online banking system). As soon as Aibatook has access to the user's personal data, it sends it to a remote C & C server using a URL that is hardwired into the body of the malware. This message is an HTTP POST request that contains the stolen data as an argument. Data is encrypted using the same algorithm that was mentioned earlier. Aibatook also sends the MAC address of the computer's network adapter, which will help it identify the victim. Before intercepting data from the Japan Post online banking page, the malicious code can perform the following actions.
- Sets a malicious proxy in the browser settings when a user visits the Japan Post site. It may be used as an additional tool to collect user input.
- If a user visits a special anti-phishing web page of an online banking site, the malicious code immediately redirects it to the login page.
The second approach to data theft from online banking sites allows attackers to significantly expand the range of web resources from which information is stolen. This approach is based on the well-known technique of grabbing web page forms, which is to constantly monitor data entry fields in an HTML form. If the form fields meet the necessary conditions, the data entered into them is stolen by malicious code. Aibatook uses a configuration file that loads from a hard-coded URL and points to websites for compromise. The configuration file is encrypted with the algorithm mentioned above. After loading it into memory, the malicious code will store it already in the clear. Part of one of the configuration files is shown below in the screenshot.
As you can see, this file has a certain structure and consists of blocks that are labeled with tags. The file begins with a version block followed by a set of blocks [W], each of which describes the target chosen by the attackers. A block can contain several child blocks.
- The [Web] block contains the name of the resource being compromised.
- The [CURL] block contains the URL of the resource (web page).
- The [CTI] block contains the title of the resource web page.
- The [NAME] block describes the names of the HTML fields to be analyzed.
- The [ID] block describes the ID of the HTML fields to be analyzed.
The logic of the use of this file by a malicious program is as follows: if the URL of the visited webpage victim matches the value from the [CURL] block or its title matches the string of the [CTI] block, then from each field with a name that matches [NAME] or the identifier ID] will be stolen the entered data. The following table shows one such example.
In this example, we can see the Aibatook configuration file with one block [W], the next column is the web page visited by the user, and then the information stolen by the malicious code. This approach to data theft is quite flexible, in particular, some blocks [CURL] and [CTI] remain empty, which helps attackers to navigate to any web page with the names of the input fields that are indicated in it. We calculated statistics on domains targeted by Aibatook when using this method of compromising web pages. 87 domains were discovered, and for some of them it was possible to establish their purpose through the values ​​of the tags [CURL] and [CTI].
Conclusion
The Win32 / Aibatook malware family is aimed at compromising Japanese users. Infection of a user's computer occurs through a special chain of exploitation consisting of redirecting the victim to malicious sites. Aibatook is used by cybercriminals to steal user data through the compromise of Internet Explorer. Two approaches are used for this, the first, more general, is aimed at stealing information from online banking sites of two large Japanese banks, and the second is used to steal data from a large number of web resources of various types.
We have seen the constant development of Win32 / Aibatook code and capabilities over the past few months. In the future, we can expect not only the further evolution of this family, but also its more active use by intruders.
Source: https://habr.com/ru/post/230833/
All Articles