More and more companies are asking Kaspersky Lab to carry out detailed investigations of malware-related IT security incidents affecting their business.
In this article, we will describe a typical cybercriminal attack aiming at stealing corporate financial assets from a remote banking system.Description of the Incident
An organization recently asked Kaspersky Lab to investigate an incident that had occurred in its corporate remote banking system: a bank representative contacted the organization's accounting department and asked for confirmation of a payment worth 3 million rubles (about US$80,000). It transpired that nobody in the organization had ever heard of this payment. The accountant was certain that he did not make that payment; he explained that he was out on his lunch break at the time of the transaction.
The accountant used banking software on his workstation to prepare payment orders and send them to the bank. The logs on this software recorded two suspicious payments to the same address. The first was a relatively small payment of 300,000 rubles. This did not sound any alarm bells, and was processed without a query. The second payment, worth 3 million rubles, alerted the staff at the company's bank.
It was clear that the accountant had not made the payments himself, so the organization suspected a malware attack. But how was that possible? They were using specialized banking software with password protection. They required a special file to access the remote banking system, and the bank itself would check the IP address of the sender of any payment.Investigation
The main goal of a malware incident investigation is to accurately assess the consequences of the attack, identify every compromised computer and establish exactly how the malware penetrated the victim computer(s). The organization affected can then use this information to effectively mitigate the damage and address weaknesses in its corporate security system to prevent such incidents from happening in the future.
During the investigation, it is also sometimes possible to detect hitherto-unknown malware species and add their signatures to the security databases, protecting other users from their future impact.
In this case an image of the hard disk from the accountant's desktop was provided to Kaspersky Lab's Global Emergency Response Team (GERT) for analysis and investigation.Remote Access to Desktop
During our first-pass analysis of the accountant's hard drive, we identified a modified version of the legal Remote Manipulator System which enables remote access to the computer. This type of software is often used by accountants and system administrators. However, this program was located in a suspicious catalogue, had a suspicious name ('C:\windows\dotcom\wmiterm.exe' is an overly "system-related" path , so even an advanced user is unlikely to smell a rat), and had two modifications to conceal its operation:
- The icon in the Windows Task Bar was hidden,
- The Registry key where the program stores its configuration was modified: 'HKLM\SYSTEM\Remote Manipulator System\v4' was changed to 'HKLM\SYSTEM\System\System\Remote\ Windows', which again looks very similar to the system registry key.
These modifications are typical of malware, so we added signatures for this program to Kaspersky Lab's antivirus databases – it is detected as malicious with the verdict 'Backdoor.Win32.RMS'.
While analyzing the operation of Backdoor.Win32.RMS, we discovered that the cybercriminals used it to download another malware program onto the victim computer, 'Backdoor.Win32.Agent'. (This detection was added to Kaspersky Lab products immediately). That backdoor provided remote VNC (Virtual Network Computing) access to the victim computer. Interestingly, the code of this malware program has a lot in common with the 'hVNC' module of the Carberp Trojan. Carberp's source code is available for public access.
So, how did Backdoor.Win32.RMS sneak onto the accountant's desktop?Infecting a Corporate Desktop
In the Microsoft Outlook database, stored in the file 'outlook.pst' on the hard drive, we found an email containing an attachment named "запрос ИФНС № АС-4-31339.doc" ('Federal Tax Service request no. AC-4-31339.doc'). Kaspersky Lab Anti-Virus detected that Microsoft Office document as malicious with the verdict 'Exploit.MSWord.CVE-2012-0158.'
The cybercriminals used social engineering methods: the email was sent in the name of Russia's Federal Tax Service, called for immediate action, and provided contact details of real Tax Service officers.
"Federal Taxation Service. Please provide all required documents as soon as possible."
The accountant would certainly have opened the attachment, which exploited a vulnerability in Microsoft Word to download a self-unpacking archive from a remote server and then initialize the unpacking. The archive contained two files: 'SYST.EXE', a renamed version of the file archiver '7zip', and 'SYST'.
While unpacking, the source archive launched the archive program 'SYST.EXE' with parameters instructing it to unpack the password-protected archive 'SYST' using the incorporated password. This trick of using a password-protected password successfully bypasses security software's attempts at static unpacking of the file, impeding its detection.
Unpacking 'SYST' created the following: the 'Backdoor.Win32.RMS' file (which we detected earlier) and the 'INST.CMD' script which installed the backdoor in the system. This is the script that copied the malicious program's files into the folder 'C:\windows\dotcom'.
After we detected the backdoors, we began to understand how the cybercriminals could steal the money. If they had remote access to the computer, they could have make their own payment order, and then the key file and the sender's IP address would be legitimate. But we still didn't know how they criminals got the password to access the banking software. We decided to look for a keylogger program.The keylogger
The file 'Svchost.exe' attracted our attention, located in the root of the system disk. It turned out to be a keylogger (detection added with the verdict 'Trojan-Spy.Win32.Delf'); it also contained functionality to manage the configuration of Backdoor.Win32.RMS. This unusual capability was apparently introduced by the cybercriminals because they needed a tool to control the modified Remote Manipulator System: they had hidden this program's entire user interface and could use it to manage the configuration.
We also discovered that this keylogger was downloaded with the help of Backdoor.Win32.RMS.
The keylogger sent a log containing all stolen information to the C&C at regular intervals and kept an up-to-date copy of the log on the infected computer's hard drive. We found the banking password within the piles of information stolen by the keylogger.The battle plan
Following our research, we reconstructed the cybercriminals' action plan:
- The cybercriminals launched a targeted attack using social engineering and a Microsoft Word vulnerability to infect the accountant's computer with Backdoor.Win32.RMS.
- With the help of that backdoor, the cybercriminals loaded two more malicious programs onto the victim computer: a keylogger (Trojan-Spy.Win32.Delf) and another backdoor (Backdoor.Win32.Agent) which establishes remote VNS access to the victim computer.
- The keylogger intercepted the password to the remote banking account.
- While the accountant was away from his computer, the cybercriminals used Backdoor.Win32.Agent and the VNS access to the computer to start the banking software on behalf of the accountant.
- The cybercriminals used the password intercepted by the keylogger to create a payment order worth 300,000 rubles and send it to the bank.
- A bit later, they created another payment order, this time worth 3 million rubles, and sent it to the bank.
As we got towards the end of the investigation, we discovered yet another interesting fact: the IP-addresses of C&C servers for all malicious programs used in the attack belonged to the same sub-network.
Diagram of the cybercriminal attack
We also found out that the cybercriminals acted very fast: it took them just four days to carry out their planned crime. Three days were spent preparing, and the plan was executed within just a few hours on the fourth day.
Day 1. The cybercriminals sent the email to the company's accountant. The accountant read the email, opened the attachment, and the malicious program Backdoor.Win32.RMS was downloaded to his program. On the following days, the cybercriminals used this program to watch the accountant's activities.
Day 4. The cybercriminals used Backdoor.Win32.RMS to load the keylogger Trojan-Spy.Win32.Delf to the victim computer and intercepted the password to the banking software. Soon afterwards they loaded Backdoor.Win32.Agent and used it to connect to the accountant's computer. Then they sent payment orders from the victim computer to the bank.Notifying the cybercriminals' victims
As the cybercriminals used several IP addresses from the same sub-network, we decided to have a closer look at the C&C servers. As it turned out, the cybercriminals made a mistake when configuring one of the servers, so any user can see the HTTP requests to the C&C servers. That's how we were able to track down the IP addresses from which requests were sent using the keylogger's protocol. As we found out, there were several computers with different IP-addresses infected with the keylogger.
There was one odd feature of this keylogger: when it was launched on an infected computer, it downloaded the latest version of its log from the C&C server. Thus, any user could review the keylogger's log if they opened the appropriate URL address in their web browser. We decided to have a close look at the HTTP requests sent to the C&C server, and in them we found the names of the logs that the keyloggers sent to the C&C server. In many cases, the logs contained the name of the organization which owned the infected computer and the victims' contacts (We could also find the victims' IP addresses using the vulnerability in the C&C server). This information helped us contact other victims (most of them were accountants at SMBs) and warn them that their computers were infected. They were very grateful for the information.Features of banking attacks
As we said at the beginning of the article, this attack is a typical case of stealing money from a company.
- Cybercriminals actively use social engineering to encourage users to open the malicious file.
- When attacking important targets, cybercriminals may use new exploits for previously unpublished vulnerabilities. In such cases regular attack detection tools, such as IDS, are not good enough.
- Yet another feature of this attack is that it involves legal software. This is a growing trend: we see cybercriminals using legitimate applications to gain remote access to victim computer before downloading and launching malicious files on them.
Members of staff who deal with commercially important information and handle the company's finances need training on the basics of IT security. The company must implement security policies that would minimize the risk of employee negligence causing an infection on the corporate network.
However, 0-day exploits are too expensive to use in attacks on regular companies. Here we usually see exploits for known vulnerabilities. This means simple steps like promptly updating software (especially Microsoft Office and Java) and installing a quality security solution can ensure adequate levels of protection.
Security products obviously won't flag up the use of legitimate software. So cybercriminals can use these applications in a bid to keep their operations secret. In this attack, secrecy was ensured by using a version of Remote Manipulator System with modifications introduced into its executable file. We added a signature for this modified version of Remote Manipulator System so in future Kaspersky Lab's products will detect it.
If cybercriminals use the original, unmodified versions of legitimate software, the only solution will be for security systems to notify the user every time a potentially unwanted program is launched. All users, especially those who deal with financial and other important documents, must remember that no security system can provide absolute protection. They should pay attention to system notifications and be alert to any anomalous behavior on their computer. It's important to notify security staff of any suspicious event in the system.
Ideally, default deny mode should be enabled on all computers used to make payments in a remote banking system; this mode restricts Internet access and prevents the launch of irrelevant, non-whitelisted software. The same applies to computers used by corporate users to work with commercially important (business-critical) information.Conclusion
These days, the main driving force behind all cybercriminal actions is money. Gaining access to remote banking systems is the most direct and straightforward way of stealing money from an organization. It is little surprise that remote banking systems are an increasingly attractive target for cybercriminal attacks.
Anyone who uses remote banking systems is more than familiar with the security systems incorporated in them … but so are the cybercriminals. The use of passwords, key files and tokens, as well as restricting IP access, can lull users into a false sense of security.
However, none of these measures, whether taken individually or as a group, will do anything to enhance security if they are implemented on a compromised computer. On an infected machine, passwords can be intercepted, key files can be copied. Cybercriminals can create a hidden desktop and use the original IP address and the token connected to the victim computer.
When investigating security incidents we regularly encounter the following situation: a malicious program is launched on a computer, but later it is detected and removed from the system. Subsequently the affected computer is used as before, continuing to carry out banking transactions with the accountant confident that the problem has been solved.
Users must realize that once a malicious program is executed, the computer affected should be considered compromised. The first malicious file only loads the main malicious payload. That payload typically consists of programs which update themselves all the time to escape detection by security products. Alternatively, cybercriminals load legitimate software with modifications that enable cybercriminals to connect to it via malicious C&C servers. In this case the malicious programs will not be detected.
Overlooking this can cause huge damage to a company. If a malicious program has been detected on a computer with critical information, incident response measures must be taken immediately.
Sadly, our experience shows that organizations often sound the alarm too late, when they are already facing financial loss or the shutdown of critical computing services. Moreover, the response measures taken within corporations usually prove ineffective, and often impede further investigation.
There is no such thing as a one-size-fits-all response to an incident. There are too many possible attack methods out there. For example, in some cases shutting the computer down immediately helps to preserve data that would be irreversibly deleted by a malicious program after a certain period. In other situations, though, a shutdown will destroy the RAM data that is vital to a subsequent investigation. Only an incident investigation specialist can make the right decision.
In any case, if there is the slightest suspicion of intrusion, any compromised computer should be disconnected from the Internet and the corporate network, and malware incident specialists should be called in.
Only a detailed investigation of a security incident can lead to an effective response.
Microsoft released four security bulletins this month addressing a total of 42 vulnerabilities in Internet Explorer (MS14-052), .NET (MS14-053), the Windows task scheduler (MS14-054), and several issues in Windows Lync Server (MS14-055). I counted a total of 37 cve set aside for Internet Explorer, with the other five for the three remaining software.
Most interesting is the XMLDOM vulnerability (cve-2013-7331), a vulnerability that has been publicly discussed since at least April 25, 2013. The PoC was re-purposed and abused in the VFW watering hole attack by APT otherwise known as Aurora Panda or "the DeputyDog actor". The crew is highly advanced and effective in technique and operation, over time deploying multiple 0day to meet their heavy offensive needs. Their xmldom trick likely helped to delay discovery of their IE 0day and presence on the compromised VFW server. "The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit". Microsoft rated this vulnerability patch "important" across OS versions, while the other privately disclosed IE vulnerabilities are rated "critical".
The other 36 Internet Explorer memory corruption vulnerabilities are all over the board as far as exploitability per platform, but they all enable remote code execution. It's most interesting that the patches for Internet Explorer v10 and v11 on supported Windows 8.1 are rated Critical RCE.
Also this month is a task scheduler escalation of privilege vulnerability reminiscent of one of the Stuxnet 0day that Kaspersky Lab researchers reported back in 2010, and was later deployed by the Tdss gang. And an update to an advisory went out to deal with post-exploitation lateral movement. This time the patched issue is not related to older pass-the-hash issues, but Kerberos ticket grant delay related. The logon credential cleanup package can be downloaded here.
More can be read about September 2014 Microsoft Security Bulletins here.