Introduction
On this part1 I will analyze the same sample of the last post within a different point of view, focused on the malware analyze without looking at the code, with some screenshots and some thoughts on the remote host compromise.
In the next posts, I will unpack the malware, compare VT results packed vs unpacked and later analyze the code, figuring out how the malware load the target URL.
So, this post may be interested for only whoever never saw a Brazilian banker.
The sample itself
I won't run through the behavioral analysis (file system, registry access, etc), for that you can take a look at the previous post here. Also, most of the Brazilian bankers (if not all) don't use to be persistent or advanced, like adding itself to registry, perform API hooking, process injection, etc. Most of them are simple applications developed under higher-level languages such as Delphi and Visual Basic and sometimes packed with known packers, I haven't seen yet a Brazilian banker packed by a custom packer. Please, let me know if you have one of those, I would love to have a look.
Then you just need to choose your account type: "Bradesco - Pessoa Física" or "Bradeco - Prime", I don't know why that since for both you need to provide the same information. Once you choose your account type a message is displayed saying the information exchange will only be available for you and the bank. This is a default behavior for bankers, repeat a couple of times you are secure, I have never saw that amount of messages from my real bank.
Once you type agency and account, a virtual keyboard is displayed, like in real the bank website, it's fairly the same. The application does not even let you type the password if you don't do through the virtual keyboard.
Once you click on "Enviar" which means "Send", another message is displayed saying that your new security card will be sent to your address and then ask if you already received it or not.
What the hell is a "security card"?
On this bank, the second authentication method use a card which the bank calls "security card", they do not use tokens like other banks, so basically if you want to transfer money online you also need to provide the number of position "x" in your security card.
Once you click "Yes" or "No" another message is displayed saying that the security card improves your online transactions and that you should "re-sign" the current one, which means in theory that you need to provide all of the security card position numbers in order to keep the current one.
Then, finally, after you type all the security card numbers and click "Enviar" a HTTP POST is sent to www.shanhaiichiba.com with your data. The author fails again do not mentioning REF stays in the front of the card, they don't even need REF in order to steal money, perhaps it's something additional to pretend being a valid application.
The HTTP Post is the following:
T=P&DADOS=TIPO+......:+Bradesco+-+Pessoa+Física CONTA+.....:+1111-1111111-1 SENHA+4+...:+4444 :::::::+TABELA+::::::: REF+.......:+999999999999 1+..:+222 2+..:+222 3+..:+222 4+..:+222 5+..:+222 6+..:+222 7+..:+222 8+..:+222 9+..:+222 10+..:+222 11+..:+222 12+..:+222 13+..:+222 14+..:+222 15+..:+222 16+..:+222 17+..:+222 18+..:+222 19+..:+222 20+..:+222 21+..:+222 22+..:+222 23+..:+222 24+..:+222 25+..:+222 26+..:+222 27+..:+222 28+..:+222 29+..:+222 30+..:+222 31+..:+222 32+..:+222 33+..:+222 34+..:+222 35+..:+222 36+..:+222 37+..:+222 38+..:+222 39+..:+222 40+..:+222 41+..:+222 42+..:+222 43+..:+222 44+..:+222 45+..:+222 46+..:+222 47+..:+222 48+..:+222 49+..:+222 50+..:+222 51+..:+222 52+..:+222 53+..:+222 54+..:+222 55+..:+222 56+..:+222 57+..:+222 58+..:+222 59+..:+222 60+..:+222 61+..:+222 62+..:+222 63+..:+222 64+..:+222 65+..:+222 66+..:+222 67+..:+222 68+..:+222 69+..:+222 70+..:+222 &NOME=PAL
Thoughts
URLvoid results says the website is clean: http://www.urlvoid.com/scan/shanhaiichiba.com
Most likely this website may not host malware however at some point was used by the attacker to upload the banner_inc.php file and grab the bank account data. The banner_inc.php is not available at this moment,
Just out of curiosity I looked at zone-h archive and found this website was defaced in 2010/08/26: http://www.zone-h.org/mirror/id/11315692
This does not mean the attacker who defaced the website uploaded the banner_inc.php, most likely not. However, it increases the possibility that another attacker uploaded malicious file like the banner_inc.php. This is an example of a valid website being used by attackers to spread malware, on this case just being used as a bridge to gather bank account data.
Conclusion
Even thought the malware has some typos it has a good design and I believe people may trust that's a valid software from the bank, it does not has a valid certificate but I also believe whoever clicked on it will just click OK to open it up. Also, since it uses a non-malicious URL, a web proxy would not detect the traffic.
In the next post, I will show up how to unpack the malware and on part3 we will analyze the code to make sure the malware does not use another URL for sending data.
Thanks for your attention.
Pedro Drimel Neto
Very interesting.
ResponderExcluirGo ahead dude. Congrats!