The Hesperbot Banking Trojan

Overview

Last month, a newly effective banking trojan has been discovered, targeting online banking users. This malware uses very reliable looking link addresses or domains which are related to trusted organizations to attract victims into running them. Even though this trojan has analogous functionality and goals like that of the ignominious Zeus and SpyEye, its architecture and way of implementation makes it fall in a new malware family. This banking trojan, regardless of being a new malware program, emerged as Win32/Spy.Hesperbot. The main aim of the offender is to obtain credentials giving access to the victim’s bank account and making them install a mobile component of the malware on smartphone platforms (Symbian, Android, and Blackberry).

Features of Hesperbot:

Keystroke logging
Video capturing and screenshot creation
Remote proxy establishment
Creation of hidden VNC server in the infected system
Interception of network traffics
HTML code injection capabilities

The offenders registered the domain “ceskaposta.net,” which is similar to the official site of the Czech postal service “ceskaposta.cz.” Even though the link address he victim has shows legitimately, it actually redirectes to the malicious website. The filename used was comprised of a double extension, “zasilka.pdf.exe”.

Analysis

The Win32/Spy.Hesperbot banking trojan comprises of a modular architecture. Initially, the victim downloads a zipped file and a dropper. The dropper component injects the main module “core” to explorer.exe. The core then downloads remaining modules and additional plugins to fulfil malicious tasks.

The malware components are compiled in Visual Studio 2010, and written in C. The most important modules used by this trojan are its dropper and core.

Dropper

The dropper can use different methods to inject the code into the address space of explorer.exe. Some key points of the dropper are:

Starts a new explorer.exe process and patches the entry-point using NtGetContextThread to point to its own code.
Injects itself into explorer.exe using Shell_TrayWnd/SetWindowLong/SendNotifyMessage
Injects itself into explorer.exe using CreateRemoteThread

Core

The core which runs in the explorer.exe address space establishes and communicates with the C&C server and launches additional plugins. The core module also establishes the autorun feature on the start up of Windows by writing an auto-run windows Registry Key.

For accessing the C&C server, Win32/Spy.Hesperbot.A uses either an embedded URL or generates new C&C URLs by an algorithm (domain generation) if the first server is down or inaccessible.

The following information is exported to the C&C server:

Botnet name on the basis of the computer name.
Botnet names so far inferred (cz-botnet, tr-botnet, pt-botnet, uk-botnet and super-botnet)
Ip addresses of the current network adaptors.
Active smart-cards names.
Information on Hesperbot plugins which are installed

As a response, the server can send:

A file with configuration settings.
Module plugins.
A random executable to run.
An updated version of itself.

First, the trojan is able to itemize smart cards present in the system using different (SCardEstablishContext, SCardListReaders and SCardConnect) API functions. Win32/Spy.Hesperbot doesn’t have any ability to interact with smart cards, but can only can collect smart card names.

Secondly, the configuration file and the plugin modules which are downloaded are encrypted (Twofish cipher). The hash value (256-bit key) is based on:

Name of the computer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ‘InstallDate’.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ‘DigitalProductId’.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography ‘MachineGuid’.
The version of the windows.
Architecture of the processor (x64, IA64 or x86).

The logs created by the keylogger module and downloaded data are stored in a subdirectory under the Appdata directory.

The core module can inject itself into all running processes. Furthermore, an undocumented trick of hooking UserNotifyProcessCreate is used when running inside csrss.exe, to ensure that the trojan’s code will be injected into every new process.

Victims and targeted Banks

The configuration files used by the malware’s injection modules and http interception implies which online banking web sites are to be targeted by each botnet.

Mobile components

Banking trojans use mobile components like ‘Zitmo’ and ‘Spitmo’ to bypass authentication of banks through a mobile transaction authentication number (mTANs).

The malware injects code into the website, which prompts the user to download and install an application on their cell phone. The victim is made to select their mobile model from the dropdown list and after entering their phone number, a link for downloading the mobile component is sent to their phone. Symbian , Android and Blackberry are the supported mobile platforms.

Supported mobile platforms are injected with JavaScript
The functionality of the mobile trojan starts with the activation
The user is displayed by a random activation number which is generated by the web-injected JavaScript on the infected PC
A response code is then displayed by the mobile application which is based on the generated activation number
The user is then prompted to enter the response code into the webpage on their computer for verification
The same algorithm in the injected script is used for calculating the response code as in the mobile component.
By this trojan functionality, the perpetrators are able to confirm that the victim has successfully installed the mobile component, and the bot infection has been established
A service is then registered by the code that waits for incoming messages and is forwarded to the perpetrators’ mobile number
The attacker gets the mobile transaction authentication number from the incoming messages which enable them to log into the hacked bank account
The service is then controlled remotely by the attacker through SMS commands
Android mobile content is detected as Android/Spy.Hesperbot.A and Symbian as SymbOS9/Spy.Hesperbot.A.

Hidden VNC

The Hesperbot trojan creates a hidden VNC server on the infected computer to which the perpetrators connects remotely
The VNC viewer runs in a separate desktop, hence it’s invisible to the user
The offender is also capable of launching the installed browser on the host system. As a result the attacker gets full access to browsing data

Keylogger

The keylogger module in the Hesperbot trojan obstructs keystrokes and hooks by calling functions such as ‘translatemessage’ and ‘getmessage’ in user32.dll
The logs are captured and sent to the C&C server

Screenshots and video captures

Httpi module is responsible for the video capture and screenshots
The functionality is established by using Avifil32.dll functions (AVIFileCreateStream, AVIFileMakeCompressedStream, AVIStreamWrite, etc.)
The malicious code in the module of the Trojan initiates screenshot capabilities and hidden video capturing of the infected system

Mitigation steps

Keep antivirus software updated. A fully updated AV program has a much greater chance of detecting keylogging attempts.
The use of a good firewall, to monitor and block outgoing traffic, is also a possible solution which can detect and block keystrokes being forwarded out of the network. For a deeper look into network security, check out the CCNA boot camp offered by Intense School.
Give social awareness to all users to not open emails coming from untrusted sources.
Instruct users to not share credentials without any proper confirmation, and to avoid interacting with suspicious links in emails from unknown sources.
The hidden VNC server which is established by this banking trojan has the ability to control the infected system without the knowledge of the victim. The VNC protocol uses a fixed range of ports ranging from 5900, and by blocking the traffic to these ports the user can prevent incoming VNC client connections.
A few online banking sites are targeted by this trojan. Monitoring these domains can prevent trojan infections in the future.
Enable security policies which deny administrative privileges for the end users which prevent automatic downloads and installation of malicious software.
Use AV solutions in smartphones which block suspicious URLs and scan for any virus footprints.
Use an SIEM solution to monitor and analyze all enterprise events of your organization.
If any suspicious activity is noticed by smartphones or if AV software pops a red alert, immediately turn on airplane mode, wipe all data and reset the smartphone to factory defaults.