《2020年拉美金融网络犯罪:犯罪分子共享TTPS - ESET(英文版)(19页).pdf》由会员分享,可在线阅读,更多相关《2020年拉美金融网络犯罪:犯罪分子共享TTPS - ESET(英文版)(19页).pdf(19页珍藏版)》请在三个皮匠报告上搜索。
1、LATAM FINANCIAL CYBERCRIME: COMPETITORS-IN-CRIME SHARING TTPS ESET Research white papers Authors: Jakub Souek Martin Jirkal TLP: WHITE LATAM financial cybercrime: Competitors-in-crime sharing TTPs1 TLP: WHITE CONTENTS ABSTRACT 2 INTRODUCTION 2 IMPLEMENTATION 3 Core of a typical Latin American bankin
2、g trojans implementation 3 Implementation detail similarities 4 String encryption and obfuscation 4 Common enemy: Protection software 4 Binary obfuscation 5 DISTRIBUTION 5 Typical Latin American banking trojan distribution chains 5 Sharing the chains 6 The first link in the chain 6 Script obfuscatio
3、n 7 Targeted countries 7 EXECUTION 7 Method 1: Direct execution 8 Method 2: Using the AutoIt interpreter 8 Method 3: DLL side-loading 8 Method 4: DLL side-loading combined with injector 9 Legitimate applications being abused 9 FAKE POP-UP WINDOWS 10 MITTRE ATT both powerful binary obfuscation tools
4、Similarly, many of them globally switched their initial download method to using Windows Installer (MSI) over the period of just a few months Finally, some TTPs seem to stay strongly rooted deep inside the region These include heavily utilizing ZIP archives and using DLL side-loading as the favored
5、execution method Even though sharing knowledge between cybercriminals is not unusual, seeing so many examples of it in region-specific malware families with the same focus caught our attention Our presentation will cover all the common characteristics we have discovered and include a timeline illust
6、rating the evolution of these banking trojans We will draw conclusions about which families are most closely interlinked and how the modus operandi of Latin American banking trojans is different from banking trojans in the rest of the world INTRODUCTION Dominating crimeware in the region, Latin Amer
7、ican banking trojans share so many characteristics that they are conventionally treated as one single malware family Our ongoing research clearly shows otherwise, identifying at least 11 distinct and concurrently active families: Amavaldo (1), Casbaneiro (2), Grandoreiro (3), Guildma (4), Mispadu (5
8、), Mekotio (6), Zumanek (7), Krachulka, Lokorrito, Numando and Vadokrist (in prep) IoCs of all these families are on ESETs malware IoC GitHub repository (8) and detailed descriptions, including MITRE ATT&CK tables, of several are available in the blogposts referenced above Given that we consider the
9、se to be different malware families, it may seem surprising they have so much in common We believe the reason is that the authors of these banking trojans are in touch with each other, sharing TTPs In this paper, which would not have been possible without the invaluable contributions of our colleagu
10、es in the ESET Prague team, particularly Juraj Hork and Roman ma, we will dissect the most notable similarities that lead us to this conclusion LATAM financial cybercrime: Competitors-in-crime sharing TTPs3 TLP: WHITE IMPLEMENTATION The first area we will focus on is the implementation details of th
11、ese families Besides the most notable one that they are all written in Delphi the binaries are so similar in their core functionality that it almost seems like they were built from one set of blueprints Core of a typical Latin American banking trojans implementation The typical Latin American bankin
12、g trojan first collects information about the victims machine This usually consists of the computer name, username, some unique identifier and sometimes indicators of whether security or banking protection software is installed The malware then sends this information to a URL distinct from the C&C s
13、erver (based on debug information we were able to gather from some binaries, the authors refer to this step as Registro, which translates to Registration) Once the Registration phase is complete, the banking trojan periodically checks the titles of active windows If a title matches any of the names
14、hardcoded in the binary, the trojan launches its attack The attack consists of displaying a fake pop-up window crafted specifically for that targeted institution This window is controlled by an underlying Delphi form and typically tries to persuade the victim to divulge sensitive information Additio
15、nally, the malware usually tries to make it as hard as possible for the potential victim to get rid of the window by: blocking input anywhere else keeping the window always on top disabling hotkeys disabling Task Manager blocking mouse manipulation The whole process is illustrated by the flowchart i
16、n Figure 1 All of the 11 distinct families we have identified follow this implementation blueprint We have also seen all of these families being active simultaneously and, while they follow the same logic, we are certain that they are implemented independently The implication here is obvious the aut
17、hors of these families cooperate We believe it to be nearly impossible for 11 malware authors to have such specific common ideas without communicating between themselves And we also dont believe there is one group of malware authors willingly maintaining 11 different pieces of malware with exactly t
18、he same logic and goal Figure 1 / Flowchart of the core functionality of a typical Latin American banking trojan LATAM financial cybercrime: Competitors-in-crime sharing TTPs4 TLP: WHITE Implementation detail similarities Even though following the same blueprint is the most significant similarity, i
19、t is not the only one Besides that, Latin American banking trojans share several implementation techniques as well For example, Amavaldo, Casbaneiro, Mekotio, Mispadu and Vadokrist all base their communication protocols on the custom, third-party remote-control component Delphi Remote Access PC (9)
20、Casbaneiro and Vadokrist contain identical pieces of code for creating and managing a string table The vast majority of the malware families rely on the Magnification.dll when taking screenshots - a DLL implementing the Windows Magnification API and rarely seen used in other malware Most of the fami
21、lies also enable the Desktop Window Manager (10) and disable Google Chrome hardware acceleration by changing its %LOCALAPPDATA%GoogleChromeUser DataLocal State configuration file We strongly believe that this is an attempt to avoid graphics issues when displaying the fake pop-up windows String encry
22、ption and obfuscation Most of the Latin American banking trojans use custom encryption schemes, which could suggest that the authors come up with the algorithms by themselves However, that is not the case, as one such encryption scheme (11) is used in six distinct families (Casbaneiro, Grandoreiro,
23、Guildma, Numando, Mekotio and Zumanek) and to the best of our knowledge has not been seen used in other malware Other encryption schemes are shared as well, although not so significantly Besides encryption, the only two commonly seen string obfuscation techniques are using a string table or splittin
24、g the string into multiple parts and then using string concatenation to join them when needed (see Figure 2) The latter method usually protects the string decryption key Common enemy: Protection software In Latin America, there are two common security products related to banking institutions The fir
25、st one is Trusteer, developed by IBM, and it provides authentication and protection against fraud The second one is called Warsaw, or GBPlugin, and is developed by GAS Tecnologia1 Quite a few Latin American banks (12) require the latter product to be installed on their users devices, to provide secu
26、re access to online banking services 1 GAS stands for Global Antifraud Solution Figure 2 / Methods of string manipulation used in Latin American banking trojans string concatenation (left) and string table (right) LATAM financial cybercrime: Competitors-in-crime sharing TTPs5 TLP: WHITE Naturally, L
27、atin American banking trojans have to deal with these products in some way Some just check whether they are installed and report that information in the Registration phase or quit Some try to protect themselves, mainly by hooking Windows APIs to prevent those products from being injected The rest go
28、 even further and try to kill those products We have seen this done by renaming file system paths blocking the products at the firewall level tampering with the files ACLs to prevent them from running using a dedicated driver to remove crucial files Binary obfuscation Authors of these banking trojan
29、s are fond of using VMProtect, a powerful binary obfuscation tool In 2017, many of the banking trojans we saw relied on this tool However, its popularity started to drop in 2018 and today we rarely see it anymore, although some families still use it Those that do not use VMProtect seem to have repla
30、ced it with one of its competitors Themida The popularity of this tool seems to be increasing and more families are experimenting with it DISTRIBUTION Even though implementation details share quite a few similarities, it does not end there In this section, we will focus on similarities in distributi
31、on chains Typical Latin American banking trojan distribution chains The initial attack vector is typically spammed link or attachment or malvertising (as in the case of Mispadu, which we describe in detail in our blog post (5) The attack starts with one malicious file that is a downloader written in
32、 either Delphi or a scripting language, or occasionally an Office document with an embedded malicious macro For the attack to be successful, the potential victim must download and execute the attachment or file (often inside a ZIP archive) When executed, this file can lead to subsequent stages that
33、typically are designed only to download the next stage until the final stage is reached Delphi downloaders typically consist of a single stage, while script downloaders tend to use multiple stages written in various scripting languages In the vast majority of these families, the logic in each varian
34、ts final stage is almost identical It typically checks for a marker first A marker is a unique object, typically a file in a specific directory or a Registry key or value, created only by that stage to see whether the malware has already compromised this machine If not found, it continues by downloa
35、ding a ZIP archive The ZIP archive is something very typical for the distribution chains of Latin American banking trojans We have observed only a negligible number of chains that did not utilize one An interesting, atypical example is the Mispadu familys final stage that, even though it downloads t
36、he components independently, wraps each one in a separate ZIP archive When the final stage downloads the archive, it follows by: extracting its contents installing the malware to the specified location executing it sometimes also setting up persistence (either by using a Run key or LNK file) The who
37、le process is illustrated by the flowchart in Figure 3 LATAM financial cybercrime: Competitors-in-crime sharing TTPs6 TLP: WHITE Every Latin American banking trojans distribution chain more or less follows this logic We have seen components of this chain and its stages implemented in Delphi, VBScrip
38、t, JavaScript, PowerShell, AutoIt and batch script Despite the number of different implementations, the logic remains the same for the majority of the families we have analyzed It might appear that some threat actor is implementing these chains and providing distribution for the banking trojan opera
39、tors However, if that were the case, this actor would have to implement several distinct chains for each family Similar as they might be, each family has its set of distribution chains it tends to use Additionally, the chain is very tightly connected to how the banking trojan is executed We have nev
40、er observed any of these chains distribute anything else other than the Latin American banking trojans we have analyzed That is why we believe the authors of the families write the chains themselves and share information with each other, similar to the way they do with implementation details Sharing
41、 the chains However, there is an even more interesting hint of cooperation Sometimes, we observe a distribution chain we know to be used by one Latin American banking trojan end up downloading a different trojan We have encountered this too many times for it to be a coincidence To be specific, in ou
42、r telemetry data we have seen: the same PowerShell script download Casbaneiro, Mekotio and Vadokrist 1. the same JavaScript code download Mekotio and Vadokrist 2. the same chain of four consecutive stages being used by Mekotio and Vadokrist 3. the same Delphi downloader downloading Mekotio and Grand
43、oreiro 4. the same Delphi downloader downloading Mekotio and Casbaneiro 5. the same Delphi downloader downloading Grandoreiro and Vadokrist We strongly believe that not only do these authors share knowledge, but when it comes to distribution chains, they share the downloaders as well The first link
44、in the chain When we started our research in 2017, LNK files were the favored initial malicious files This changed during 2019 with the coming of a new preferred way using Windows Installer (MSI) files Almost all of the 11 families we have analyzed switched to using MSI during 2019 and it remains th
45、e most used method at the time of writing Therefore, we believe it deserves a little deeper explanation Figure 3 / Flowchart of a typical distribution chain used by Latin American banking trojans LATAM financial cybercrime: Competitors-in-crime sharing TTPs7 TLP: WHITE In 2000, Microsoft devised MSI
46、 to organize the installation, uninstallation and update of applications running on Microsoft Windows operating systems The format allows for a customized execution, defined by an XML file, during compilation Authors of the Latin American banking trojans seem to use Advanced Installer, a commercial
47、authoring tool designed for easy creation of MSI files There are three main ways these malware authors utilize MSI: 1. embedding a Delphi DLL that the MSI will execute 2. directly instructing the MSI to download a file from a supplied URL and execute the response 3. embedding a script (JavaScript and VBScript are the most commonly used ones) that the MSI will execute Script obfuscation Some authors sometimes obfuscate the scripts used as distribu