Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

The Hesperbot Banking Trojan

InfoSec Institute by InfoSec Institute
October 18, 2013
in Malware, Malware Analysis
0
Keylogger software logfile
74
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

Overview

You might also like

Emotet now utilizing Onenote for its spam campaigns

Netwire RAT seized by FBI and other worldwide police agencies

The Emotet botnet returns and is sending a slew of malicious emails

Last month, a newly effective banking trojan has been discovered, targeting online banking users. This malware uses very reliable looking link addresses or domains which are related to trusted organizations to attract victims into running them. Even though this trojan has analogous functionality and goals like that of the ignominious Zeus and SpyEye, its architecture and way of implementation makes it fall in a new malware family. This banking trojan, regardless of being a new malware program, emerged as Win32/Spy.Hesperbot. The main aim of the offender is to obtain credentials giving access to the victim’s bank account and making them install a mobile component of the malware on smartphone platforms (Symbian, Android, and Blackberry).

Features of Hesperbot:

  • Keystroke logging
  • Video capturing and screenshot creation
  • Remote proxy establishment
  • Creation of hidden VNC server in the infected system
  • Interception of network traffics
  • HTML code injection capabilities

The offenders registered the domain “ceskaposta.net,” which is similar to the official site of the Czech postal service “ceskaposta.cz.” Even though the link address he victim has shows legitimately, it actually redirectes to the malicious website. The filename used was comprised of a double extension, “zasilka.pdf.exe”.

Analysis

The Win32/Spy.Hesperbot banking trojan comprises of a modular architecture. Initially, the victim downloads a zipped file and a dropper. The dropper component injects the main module “core” to explorer.exe. The core then downloads remaining modules and additional plugins to fulfil malicious tasks.

The malware components are compiled in Visual Studio 2010, and written in C. The most important modules used by this trojan are its dropper and core.

Dropper

The dropper can use different methods to inject the code into the address space of explorer.exe. Some key points of the dropper are:

  • Starts a new explorer.exe process and patches the entry-point using NtGetContextThread to point to its own code.
  • Injects itself into explorer.exe using Shell_TrayWnd/SetWindowLong/SendNotifyMessage
  • Injects itself into explorer.exe using CreateRemoteThread

Core

The core which runs in the explorer.exe address space establishes and communicates with the C&C server and launches additional plugins. The core module also establishes the autorun feature on the start up of Windows by writing an auto-run windows Registry Key.

For accessing the C&C server, Win32/Spy.Hesperbot.A uses either an embedded URL or generates new C&C URLs by an algorithm (domain generation) if the first server is down or inaccessible.

The following information is exported to the C&C server:

  • Botnet name on the basis of the computer name.
  • Botnet names so far inferred (cz-botnet, tr-botnet, pt-botnet, uk-botnet and super-botnet)
  • Ip addresses of the current network adaptors.
  • Active smart-cards names.
  • Information on Hesperbot plugins which are installed

As a response, the server can send:

  • A file with configuration settings.
  • Module plugins.
  • A random executable to run.
  • An updated version of itself.

First, the trojan is able to itemize smart cards present in the system using different (SCardEstablishContext, SCardListReaders and SCardConnect) API functions. Win32/Spy.Hesperbot doesn’t have any ability to interact with smart cards, but can only can collect smart card names.

Secondly, the configuration file and the plugin modules which are downloaded are encrypted (Twofish cipher). The hash value (256-bit key) is based on:

  • Name of the computer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ‘InstallDate’.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ‘DigitalProductId’.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography ‘MachineGuid’.
  • The version of the windows.
  • Architecture of the processor (x64, IA64 or x86).

The logs created by the keylogger module and downloaded data are stored in a subdirectory under the Appdata directory.

The core module can inject itself into all running processes. Furthermore, an undocumented trick of hooking UserNotifyProcessCreate is used when running inside csrss.exe, to ensure that the trojan’s code will be injected into every new process.

Victims and targeted Banks

The configuration files used by the malware’s injection modules and http interception implies which online banking web sites are to be targeted by each botnet.

Mobile components

Banking trojans use mobile components like ‘Zitmo’ and ‘Spitmo’ to bypass authentication of banks through a mobile transaction authentication number (mTANs).

The malware injects code into the website, which prompts the user to download and install an application on their cell phone. The victim is made to select their mobile model from the dropdown list and after entering their phone number, a link for downloading the mobile component is sent to their phone. Symbian , Android and Blackberry are the supported mobile platforms.

  • Supported mobile platforms are injected with JavaScript
  • The functionality of the mobile trojan starts with the activation
  • The user is displayed by a random activation number which is generated by the web-injected JavaScript on the infected PC
  • A response code is then displayed by the mobile application which is based on the generated activation number
  • The user is then prompted to enter the response code into the webpage on their computer for verification
  • The same algorithm in the injected script is used for calculating the response code as in the mobile component.
  • By this trojan functionality, the perpetrators are able to confirm that the victim has successfully installed the mobile component, and the bot infection has been established
  • A service is then registered by the code that waits for incoming messages and is forwarded to the perpetrators’ mobile number
  • The attacker gets the mobile transaction authentication number from the incoming messages which enable them to log into the hacked bank account
  • The service is then controlled remotely by the attacker through SMS commands
  • Android mobile content is detected as Android/Spy.Hesperbot.A and Symbian as SymbOS9/Spy.Hesperbot.A.

Hidden VNC

  • The Hesperbot trojan creates a hidden VNC server on the infected computer to which the perpetrators connects remotely
  • The VNC viewer runs in a separate desktop, hence it’s invisible to the user
  • The offender is also capable of launching the installed browser on the host system. As a result the attacker gets full access to browsing data

Keylogger

  • The keylogger module in the Hesperbot trojan obstructs keystrokes and hooks by calling functions such as ‘translatemessage’ and ‘getmessage’ in user32.dll
  • The logs are captured and sent to the C&C server

Screenshots and video captures

  • Httpi module is responsible for the video capture and screenshots
  • The functionality is established by using Avifil32.dll functions (AVIFileCreateStream, AVIFileMakeCompressedStream, AVIStreamWrite, etc.)
  • The malicious code in the module of the Trojan initiates screenshot capabilities and hidden video capturing of the infected system

Mitigation steps

  • Keep antivirus software updated. A fully updated AV program has a much greater chance of detecting keylogging attempts.
  • The use of a good firewall, to monitor and block outgoing traffic, is also a possible solution which can detect and block keystrokes being forwarded out of the network.  For a deeper look into network security, check out the CCNA boot camp offered by Intense School.
  • Give social awareness to all users to not open emails coming from untrusted sources.
  • Instruct users to not share credentials without any proper confirmation, and to avoid interacting with suspicious links in emails from unknown sources.
  • The hidden VNC server which is established by this banking trojan has the ability to control the infected system without the knowledge of the victim. The VNC protocol uses a fixed range of ports ranging from 5900, and by blocking the traffic to these ports the user can prevent incoming VNC client connections.
  • A few online banking sites are targeted by this trojan. Monitoring these domains can prevent trojan infections in the future.
  • Enable security policies which deny administrative privileges for the end users which prevent automatic downloads and installation of malicious software.
  • Use AV solutions in smartphones which block suspicious URLs and scan for any virus footprints.
  • Use an SIEM solution to monitor and analyze all enterprise events of your organization.
  • If any suspicious activity is noticed by smartphones or if AV software pops a red alert, immediately turn on airplane mode, wipe all data and reset the smartphone to factory defaults.

References

► http://www.welivesecurity.com/2013/09/06/hesperbot-technical-analysis-part-12/

► http://www.welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/

Tags: HesperbotmalwareMalware AnalysisOnline banking
Share30Tweet19
InfoSec Institute

InfoSec Institute

Recommended For You

Emotet now utilizing Onenote for its spam campaigns

by Kyle
March 26, 2023
0
Emotet now utilizing Onenote for its spam campaigns

The infamous Emotet malware has adopted a new tactic to spread its infection. Cybercriminals are now distributing the malware via email attachments in Microsoft OneNote format. The move...

Read more

Netwire RAT seized by FBI and other worldwide police agencies

by Christi Rogalski
March 16, 2023
0
Netwire RAT seized by FBI and other worldwide police agencies

The FBI, in partnership with several police agencies worldwide, has carried out an international law enforcement operation resulting in the arrest of a suspected administrator of the NetWire...

Read more

The Emotet botnet returns and is sending a slew of malicious emails

by Kyle
March 14, 2023
0
The Emotet botnet returns and is sending a slew of malicious emails

The notorious Emotet botnet, considered one of the biggest threats to internet security, has resurfaced after a prolonged hiatus, armed with new tactics. The botnet's trademark strategy of...

Read more

Update-resistant malware infects SonicWall security appliances

by Paul Anderson
March 12, 2023
0
Update-resistant malware infects SonicWall security appliances

Researchers have discovered that threat actors linked to the Chinese government are using malware to infect SonicWall's Secure Mobile Access 100, a popular security appliance, which remains active...

Read more

Fake ChatGPT websites are popping up and spreading malware

by Paul Anderson
March 1, 2023 - Updated on March 2, 2023
0
ChatGPT is found spreading malware created in Python

It was only a matter of time before hackers would start using the growing popularity of ChatGPT to spread malware and steal sensitive personal information. Recently, multiple security...

Read more
Next Post
MongoHQ Hacked – Exposes user Details

MongoHQ Hacked - Exposes user Details

Related News

NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Netwire RAT seized by FBI and other worldwide police agencies

Netwire RAT seized by FBI and other worldwide police agencies

March 16, 2023
The Emotet botnet returns and is sending a slew of malicious emails

The Emotet botnet returns and is sending a slew of malicious emails

March 14, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.