Auction giant eBay requests 128 million users to change their passwords after hack. In a blog post from the company, eBay Inc. said a cyberattack “compromised a database containing encrypted passwords and other non-financial data.” There is no evidence that the compromise resulted in users’ financial or credit card information being stolen, but the company is […]
Have you heard about Heartbleed? Yes? Then you belong to a minority. Following the Heartbleed threat, the bug that took advantage of a vulnerability in OpenSSL, AVAST conducted an online survey with 268,000 respondents worldwide and found that three out of four people were not aware of the the Heartbleed threat, which affected millions of […]
Revision Note: V1.3 (May 21, 2014): Revised advisory to reflect new August 12, 2014 cut-off date for when non-compliant binaries will no longer be recognized as signed. Now, instead of a June 10, 2014 cut-off date, the dormant changes implemented with …
Revision Note: V1.3 (May 21, 2014): Revised advisory to reflect new August 12, 2014 cut-off date for when non-compliant binaries will no longer be recognized as signed. Now, instead of a June 10, 2014 cut-off date, the dormant changes implemented with …
For the last few years, I have used an app on my Android smartphone to log my training runs. It tracks the distance I ran, the route I took, my running pace, and calories burned. If I want to, I can link it with Facebook or other social networks and share my workouts, or I […]
Social media giant integrates threat defense technology to combat malicious activities while maintaining user privacy
Powerful Russian cybercrime gangs have begun to use premium Android malware to broaden their attacks on financial institutions. The tool, known as iBanking, is one of the most expensive pieces of malware Symantec has seen on the underground market and its creator has a polished, Software-as-a-Service business model.
Operating under the handle GFF, its owner sells subscriptions to the software, complete with updates and technical support for up to US$5,000. For attackers unable to raise the subscription fee, GFF is also prepared to strike a deal, offering leases in exchange for a share of the profits.
iBanking often masquerades as legitimate social networking, banking or security applications and is mainly being used to defeat out-of-band security measures employed by banks, intercepting one-time passwords sent through SMS. It can also be used to construct mobile botnets and conduct covert surveillance on victims. iBanking has a number of advanced features, such as allowing attackers to toggle between HTTP and SMS control, depending on the availability of an Internet connection.
Its high price tag meant that use was initially confined mainly to well-resourced cybercrime gangs but, with the recent leak of its source code, Symantec has seen a significant increase in activity around iBanking and attacks are likely to grow further in the near future.
How it works
Attackers use social engineering tactics to lure their victims into downloading and installing iBanking on their Android devices. The victim is usually already infected with a financial Trojan on their PC, which will generate a pop up message when they visit a banking or social networking website, asking them to install a mobile app as an additional security measure.
Figure 1. How an iBanking victim is infected
The user is prompted for their phone number and the device operating system and will then be sent a download link for the fake software by SMS. If the user fails to receive the message for any reason, the attackers also provide a direct link and QR code as alternatives for installing the software. In some cases, the malware is hosted on the attackers’ servers. In other cases, it is hosted on reputable third-party marketplaces.
iBanking can be configured to look like official software from a range of different banks and social networks. Once it is installed on the phone, the attacker has almost complete access to the handset and can intercept voice and SMS communications.
History
iBanking has evolved from a simple SMS stealer into a powerful Android Trojan, capable of stealing a wide range of information from an infected handset, intercepting voice and text communications, and even recording audio through the phone’s microphone.
Early, pre-sale versions were seen in August 2013. They had limited functionality and could simply redirect calls and steal SMS messages. iBanking’s owner, who operates under the handle GFF, has continually refined the malware. By September 2013, it had gone on sale on a major Eastern European underground forum and was already replete with a broad range of functionality.
iBanking can be controlled through both SMS and HTTP. This effectively provides online and offline options for command and control. By default, the malware checks for a valid Internet connection. If one is found, it can be controlled over the Web through HTTP. If no Internet connection is present, it switches to SMS.
iBanking’s main features now include:
While iBanking was initially only available from GFF at a premium price of US$5,000, the source code for the malware was leaked in February. Not surprisingly, this resulted in an immediate increase in bot activity relating to iBanking. Symantec predicts that this upsurge in activity will continue as news of the leaked source code spreads through the underground.
However, we believe that the more professional cybercrime groups will continue to pay for the product, allowing them to avail of updates, technical support and new features. The leaked version of iBanking is unsupported and contains an unpatched vulnerability.
GFF continues to develop iBanking and add new features. They have also claimed that they are developing a version for BlackBerry, although this has yet to go on sale.
How one hacker’s search for stolen Bitcoins led to an attack on the BBC and the leak of iBanking’s source code
The source code for iBanking was leaked following a bizarre series of events in which a hacker went on an attacking spree as part of a quest to retrieve 65,000 stolen Bitcoins.
Figure 2. ReVOLVeR uses Twitter to brag about attacking the BBC
It began in December 2013 when hacker ReVOLVeR began investigating the theft of 65,000 Bitcoins from a friend. ReVOLVeR traced the theft to the friend’s mobile phone and found an iBanking infection which they believed had leaked the username and password for their Bitcoin wallet. At the time, one Bitcoin was worth approximately US$1,000, which means that ReVOLVeR’s friend had lost over US$70 million.
ReVOLVeR discovered that the infected phone was communicating with a C&C server, myredskins.net, which they went on to compromise. On this server, they discovered leaked FTP credentials for the BBC’s website. The credentials may have been stolen from an SMS sent to a mobile phone owned by a BBC staff member infected with iBanking. Alternatively, they may have been taken from a third party who had been given access to the server.
ReVOLVeR then used these credentials to log into the BBC server, root the account and begin cracking additional credentials. He posted about his progress on Twitter, updating his followers with screenshots and dumps on SendSpace.
Once finished with the BBC, ReVOLVeR then turned his attention to iBanking and attempted to sell the malware as his own on an underground forum. He did little to cover up the origin of the malware, simply reusing the post GFF had originally used to advertise iBanking on a different forum. Not surprisingly, ReVOLVeR was promptly banned from the forum.
Not long after this, in February, another hacker who uses the handle Rome0 posted the source code to iBanking on a carding forum along with a simple script which could re-configure the iBanking application. Instead of charging for the malware, this version was made available for free. It is unclear whether Rome0 acquired the source code from ReVOLVeR or simply read about his attack on the C&C server and imitated it, but the two incidents appear to be linked.
The release of the source code coincided with a significant uptick in iBanking activity. Despite the availability of a free version, our research suggests that most of the large cybercrime actors are continuing to opt for the paid-for version. They appear to be willing to pay a premium for the updates and support provided by GFF.
The gangs using iBanking
One of the most active iBanking users is the Neverquest crew, a prolific cybercrime group that has infected thousands of victims with a customized version of Trojan.Snifula. This financial Trojan can perform Man-in-the-Middle (MITM) attacks against a range of international banks. The Neverquest crew utilizes iBanking to augment its Snifula attacks, capturing one-time passwords sent to mobile devices for out-of-band authentication and transaction verification. Control numbers (the mobile numbers that the bots can receive instructions from) indicate that the Neverquest crew is likely operating out of Eastern Europe.
Another threat actor utilizing iBanking is Zerafik, who also appears to operate from Eastern Europe. Zerafik operated a command-and-control (C&C) server located in the Netherlands which was subsequently hacked, with details posted publicly on ProtectYourNet. The leak revealed that iBanking installations controlled by this C&C server were configured to target customers of Dutch bank ING, with the app disguised to look like an official app from the company. The iBanking campaigns uncovered by this breach involved multiple segregated botnets that could be controlled through a single panel, allowing for the attacker to control multiple campaigns from a single user interface.
One of the first users of iBanking was an actor known as Ctouma, who has a history of involvement with scam websites and trading in stolen credit card data. Their email address (Ctouma2@googlemail.com) had been used to set up a service which sells stolen credit card information.
Ctouma employed one of the earliest versions of the malware, which wasn’t even for sale at the time. It was disguised as a mobile application for a Thai bank. While Thailand itself is not typically associated with financial fraud attacks, it is possible that these attacks may have served as a test bed for early versions of the malware, in order to test its effectiveness.
Protection
Symantec detects this threat as Android.iBanking.
Since iBanking victims are usually tricked into installing the app by a desktop financial Trojan, keeping your desktop antivirus software up to date will help avoid infection.
You should be wary of any SMS messages which contain links to download APKs (Android application package files), especially from non-reputable sources. IT administrators should consider blocking all messages which contain a link to install an APK.
Some iBanking APKs have been seeded onto trusted marketplaces and users should be aware of this as a potential avenue of infection
Users should be aware of sharing sensitive data through SMS, or at least be aware that malicious programs are sniffing this data.
Question of the week: I just installed avast! Anti-Theft on my new Samsung Galaxy S5. If it gets lost or stolen, I know I can use remote control somehow. What do I do to set that up? Congratulations on your cool new phone! It would be awful to lose that! Now that you have the […]
FBI, 유러폴(Europol)을 포함한 여러 치안 당국이 Blackshades(일명 W32.Shadesrat)라는 크리프웨어(Creepware)를 이용하여 사이버 범죄를 저지른 혐의로 수십 명을 체포했습니다. 시만텍은 이번 공동 작전에서 FBI와 긴밀하게 협조하며 정보를 공유함으로써 FBI가 혐의자를 추적하는 데 기여했습니다. 이번 작전의 성과로 Blackshades를 판매하던 웹 사이트가 폐쇄되었으며 이 악성 코드와 관련된 범죄 활동이 크게 줄어들 것으로 기대됩니다.
Blackshades는 매우 효과적인 원격 액세스 트로이 목마(remote access Trojan, RAT)로, 초보 해커부터 전문적인 사이버 범죄 조직까지 광범위한 계층에서 애용되어 왔습니다. Blackshades는 bshades.eu라는 전문 웹 사이트에서 40 ~ 50달러의 부담 없는 가격에 판매되었습니다. 공격자는 Blackshades의 다양한 기능을 활용하여 감염된 시스템을 완전히 제어할 수 있습니다. 간단한 포인트 앤 클릭 방식의 인터페이스를 통해 데이터 유출, 파일 시스템 탐색, 스크린샷 생성, 동영상 녹화뿐 아니라 인스턴트 메시징 애플리케이션 및 소셜 네트워크와의 상호 작용도 가능합니다.
그림 1. Blackshades의 명령 및 제어 패널
이번 검거는 FBI가 미국 시민을 노리는 사이버 범죄자에 대해 더 강경하게 대처할 것임을 밝히면서 수색, 체포, 기소가 임박했음을 예고한지 며칠 만에 이루어졌습니다.
그림 2. Blackshades에 감염된 시스템(2013 – 2014)
그림 3. Blackshades 공격 최다 발생 상위 10개국(2013 – 2014)
이번 작전으로 이 RAT의 본거지였던 bshades.eu는 폐쇄되었습니다. 이는 Blackshades의 판매와 보급에 큰 타격을 줄 것입니다. 시만텍은 2014년에 Blackshades 활동이 크게 감소할 것으로 예상합니다. Blackshades의 크랙 빌더와 소스 코드가 아직 여러 온라인 포럼에서 배포되고 있으나 사이버 범죄자들은 이제 다른 트로이 목마를 선택할 것으로 보입니다.
Blackshades의 단속에 나선 것은 이번이 처음은 아닙니다. 2012년에 FBI는 Blackshades 프로젝트에 연루된 혐의로 Michael Hogue(일명 xVisceral)를 포함하여 20여 명을 체포한 바 있습니다. 그럼에도 이 악성 코드의 판매는 계속되었고 Blackshades 활동은 2013년에 더욱 기승을 부렸습니다.
조직화된 사이버 범죄 집단들이 체계적인 공격을 통해 Blackshades에 감염된 시스템을 통해 막대한 자금을 이체하는 방법으로 수백만 유로의 순수입을 거두었습니다. Francophone이라는 별칭으로 알려진 최근 공격에서는 금전적인 동기로 프랑스 기업들을 표적으로 삼은 고도의 지능적인 사회 공학적 수법에 Blackshades가 사용되었습니다. Blackshades 공격으로 인한 경제적 손실의 총 규모를 정확하게 파악하기는 어렵지만, 개별 사례로 미루어볼 때 그 피해가 막대함을 알 수 있습니다. Blackshades는 아랍의 봄에서 정치적 동기를 지닌 공격에서도 이용된 바 있습니다. 리비아와 시리아에 봉기가 일어났던 시기에 정치 운동가들이 Blackshades 변종(W32.Shadesrat.C)의 공격을 받았습니다.
시만텍은 FBI의 이번 조치를 환영하며 앞으로도 더욱 지능화되는 사이버 범죄 활동의 퇴치를 위해 치안 기관 및 민간 업체 파트너와 협력하여 최선을 다할 것입니다.
보호
시만텍은 아래와 같이 Blackshades로부터 사용자를 보호합니다.
안티바이러스 탐지
침입 차단 시그니처
시만텍 고객이 아니더라도 Blackshades라는 크리프웨어에 감염된 것으로 의심될 경우 무료 툴인 Norton Power Eraser를 사용하여 시스템에서 이 크리프웨어를 제거할 수 있습니다.
The FBI, Europol and several other law enforcement agencies have arrested dozens of individuals suspected of cybercriminal activity centered around the malware known as Blackshades (a.k.a. W32.Shadesrat). Symantec worked closely with the FBI in this coordinated takedown effort, sharing information that allowed the agency to track down those suspected of involvement. As a result of this operation, the website selling Blackshades has been taken down and we expect a significant reduction in activity involving this malware.
Blackshades is a popular and powerful remote access Trojan (RAT) that is used by a wide spectrum of threat actors, from entry level hackers right up to sophisticated cybercriminal groups. Blackshades was sold on a dedicated website, bshades.eu for US$40-$50. Competitively priced, with a rich feature list, Blackshades provides the attacker with complete control over an infected machine. A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks.
Figure 1. The Blackshades command-and-control panel
The arrests come just days after the FBI announced that it would take a more aggressive stance against cybercriminals who target American citizens, promising imminent searches, arrests and indictments.
Figure 2. Computers infected with Blackshades (2013 – 2014)
Figure 3. Top 10 countries affected by Blackshades activity (2013 – 2014)
As part of the sting operation, the source of this RAT – bshades.eu – has been taken offline. This will seriously affect the sale and distribution of Blackshades. Symantec expects there to be a significant decrease in activity for Blackshades in 2014. Although cracked builders and the source code for Blackshades remains online on various forums, we expect cybercriminals will begin to adopt other Trojans.
This was not the first law enforcement action taken against Blackshades. In 2012, the FBI arrested Michael Hogue (a.k.a. xVisceral) on suspicion of involvement in the Blackshades project along with over 20 other individuals. However, the malware remained on sale and Blackshades continued to see increased activity in 2013.
Organized cybercriminal groups have netted millions of euro in well-organized attacks, transferring large sums of money using Blackshades infected computers. In a recent operation dubbed Francophone, Blackshades was used as part of a sophisticated social engineering scheme to target French companies in financially motivated attacks. Total financial losses involving Blackshades activity would be hard to accurately gauge, however individual cases indicate they are significant. Blackshades was also observed in politically motivated attacks during The Arab Spring. Political activists were targeted in Libya and Syria during the uprisings with one variant Blackshades (W32.Shadesrat.C).
Symantec welcomes the action taken by the FBI and remains committed to working with law enforcement and private industry partners in the effort to tackle these increasingly sophisticated cybercriminal operations.
Protection
Symantec protects users against Blackshades under the following detection names.
Antivirus detections
Intrusion Prevention Signatures
If you believe you may be infected with Blackshades and are not a Symantec customer, you can use our free tool Norton Power Eraser to remove it from your system.