{"id":7398,"date":"2017-04-20T08:11:28","date_gmt":"2017-04-20T16:11:28","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/20\/news-1189\/"},"modified":"2017-04-20T08:11:28","modified_gmt":"2017-04-20T16:11:28","slug":"news-1189","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/04\/20\/news-1189\/","title":{"rendered":"Binary Options malvertising campaign drops ISFB banking Trojan"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 20 Apr 2017 15:00:55 +0000<\/strong><\/p>\n

We have been witnessing a series of malvertising attacks\u00a0that keep a low profile with decoy websites and strong IP address filtering. We are calling it the ‘Binary Options’ campaign because the threat actor is using the front of a trading company to hide the real nature of his\u00a0business.<\/p>\n

There have been similar uses of fake fa\u00e7ades as a gateway to exploit kits. For instance, Magnitude EK is known to use gates that have to do with Bitcoin, investment websites and\u00a0such, as detailed in this Proofpoint blog entry<\/a>.<\/p>\n

In this particular case, the threat actor\u00a0stole the web template from “Capital World Option<\/em>“, a company that provides a platform for trading binary options. Participants must\u00a0predict whether the price of an asset will rise or fall within a given time frame, which defines whether or not they will make money. Binary options have earned a bad reputation though and some countries have even banned them.<\/p>\n

Fraudulent\u00a0infrastructure<\/h3>\n

Below is a screenshot of the legitimate website that is being impersonated. There are some differences between the real one and the fakes; the former is using SSL and was registered a while\u00a0ago. Also, some of the website functionality is not working properly with the decoy versions.<\/p>\n

Legitimate site:<\/p>\n

\"\"<\/a><\/p>\n

Decoy site that ripped all the branding:<\/p>\n

\"\"<\/a><\/p>\n

Those fake\u00a0sites are\u00a0only meant to be viewed if you are not a target of this particular malware campaign. In other words, if you load the infection chain from the malvertising call and see the site, you will not be infected. Infections happen when the fraudulent server forwards victims directly to a second gate, without showing them any of the site’s content.<\/p>\n

The same threat actor has registered many different domains all purporting to be lookalikes using a\u00a0similar naming convention. The recent creation\u00a0dates for these decoy sites is a hint that they\u00a0are not likely to be legitimate:<\/p>\n

Domain Name: CAPITALWORLDOPTION.COM<\/span>  Creation Date: 2017-04-04T09:15:14Z<\/span>  Registrar: PDR Ltd. d\/b\/a PublicDomainRegistry.com<\/span>  Registrant Email: detes55@mail.ru<\/span><\/pre>\n
\"\"<\/a><\/p>\n
Malvertising chain<\/h3>\n
The attack\u00a0starts off with an ad call from one of a few ad networks\u00a0(Popads, PlugRush were detected in our telemetry) and redirects users to the decoy website where a quick IP check is performed.<\/p>\n
\"\"<\/p>\n
Only legitimate users will be redirected to the second stage server, which also performs its own check. Once again, unwanted traffic will be dumped (and a message – perhaps from the threat actor? – “No time for rent<\/em>” passed in the URL):<\/p>\n
\"\"<\/a><\/p>\n
Otherwise, users that have made it past those two gates will be presented with the RIG exploit kit.<\/p>\n
\"\"<\/a><\/p>\n
Banking Trojan<\/h3>\n
The final payload consistently distributed via this campaign (across\u00a0different geolocations) appears to be an ISFB variant (AKA Dreambot, Gozi,\u00a0Usrnif), based off an old but resilient banking Trojan. Some of its features include web injects for\u00a0the victims’ browsers, screenshoting, video recording, transparent redirections, etc.<\/p>\n
The artifacts left on the system were\u00a0very similar to those described in a Proofpoint blog<\/a> about Dreambot and the samples we collected also download a Tor client. The registry entry for the Tor client can be seen below:<\/p>\n
\"\"<\/a><\/p>\n
Modular structure<\/strong><\/h4>\n
The sample\u00a0retrieves several modules once it sets hold onto a victim machine and below is\u00a0an overview:<\/p>\n
Original Dropper<\/span><\/strong><\/em><\/p>\n
-> loader.dll<\/em><\/strong> injected into svchost.exe<\/em><\/span><\/p>\n
-> client.dll<\/em><\/strong> and tordll.dll<\/em><\/strong>\u00a0downloaded and injected into explorer.exe<\/em> and into browsers<\/span><\/p>\n
The main executable injects a file (loader.dll<\/em>)\u00a0into svchost.exe in order to download other modules which are encrypted during transport (tor.dll<\/em> and client.dll<\/em>) both available in 32 and 64 bits:<\/p>\n
\"\"<\/a><\/p>\n
We can notice the “ISFB” signature within the malware\u00a0code:<\/p>\n
\"\"<\/a><\/p>\n
This piece of malware\u00a0has some anti-VM features, for example, it checks on the mouse cursor:<\/p>\n
\"\"<\/p>\n
Modules are injected into explorer.exe<\/em> and try to establish a connection to an .onion address. Browsers are also injected, via client.dll<\/em> as depicted below with Mozilla Firefox:<\/p>\n
\"\"<\/a><\/p>\n
There are scores of hosts that are contacted post infection, as well as the Tor connections that trigger many ET rules as ET TOR Known Tor Relay\/Router (Not Exit) Node Traffic group<\/em>.<\/p>\n
\"\"<\/p>\n
Conclusion<\/h3>\n
This particular campaign focused on a very specific malvertising chain leading to the RIG exploit kit and – as far as we could tell – dropping the same payload each time, no matter the geolocation of the victim.<\/p>\n
Banking Trojans have been a little bit forgotten about these days as they are overshadowed by ransomware. However, they still represent a significant threat and actually do operate safely in the shadows, manipulating banking portals to perform wire transfers unbeknownst to their victims or even the banks they are targeting.<\/p>\n
Malwarebytes users<\/a> are protected against this threat at various levels: domain and IP blocks, exploit mitigation for RIG EK, and detection of the malware payloads.<\/p>\n
Related material<\/h3>\n