It has been three years since we published Lock, stock and two smoking Trojans in our blog. The article describes the first piece of malware designed to attack users of online banking software developed by a company called BIFIT. There are now several malicious programs with similar functionality, including:
In spite of its functionality no longer being unique, the last program on the list caught our attention.
Words and strings used by Trojan-Banker.Win32.BifitAgent
This particular piece of malware has a number of features that set it apart from other similar programs.
The malware runs two main modules on the victim’s computer: an executable file and a JAVA archive. During installation, it creates the folder C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\BIFIT_A, to which the following files are copied:
- AGENT.EXE – the main executable module responsible for communicating with the command server. The module is capable of updating itself, managing processes, executing commands using CMD.exe, and downloading and executing any files, all following commands from the command server.
- ALL.POLICY – a JAVA configuration file, which removes any JAVA security-related restrictions.
- BIFIT_A.CFG – the malicious program’s configuration file, which includes the infected system’s identification number and the command server’s address.
- BIFIT_AGENT.JAR – a JAVA archive containing code for interacting with BIFIT systems.
- JAVASSIST.JAR – a JAVA archive which includes additional functions required by BIFIT_AGENT.JAR.
In the course of its operation, the malware also creates several named pipes.
- \\\\.\\pipe\\10c86ecd42 – used for identification.
- \\\\.\\pipe\\10c86ecd51 – used to log its own activity.
- \\\\.\\pipe\\10c86ecd52 – used to communicate with BIFIT_AGENT.JAR.
As a result, during the operation of the malicious program the main executable module, which is responsible for communicating with the command server, functions simultaneously with the malicious JAR files, enabling the attackers to instantly modify any code running under JAVA while banking transactions are being carried out.
By default, BIFIT_AGENT.JAR, which contains code providing interaction with BIFIT systems, is heavily obfuscated and all the classes in it are broken up into 156 files randomly divided into subfolders.
Obfuscation makes analyzing the file’s interaction with BIFIT systems much more difficult, but it is nevertheless possible to reconstruct the malicious program’s actions because the file has extensive capabilities related to logging its own activity.
Analysis of the functionality included in BIFIT_AGENT.JAR demonstrates that the JAR file’s main function is to spoof the data used in banking transactions carried out from infected computers. This is completely transparent to the user, since it is the data sent to the bank, rather than the data shown to the user, that is spoofed. The use of a USB token in the transaction in no way hinders the attackers, since the token signs a transaction only after the data has been spoofed.
Unfortunately, the command servers that return the account numbers to which the stolen funds should be transferred were no longer available by the time of writing.
The distinguishing features of Trojan-Banker.Win32.BifitAgent include a digital signature. At the time or writing (April 16, 2013), Kaspersky Lab’s malware collection included about ten variants of the malware, all of which have a valid signature issued to “Accurate CNC”.
Accurate CNC is a company which really exists. It has a website (http://www.accuratecnc.com/) and offers equipment and software for designing electronics. It is worth noting that the publicly available demo version of their program, PhCNC Demo v3.26.4, is signed with the same certificate as the malicious program.
In other words, we are dealing with a stolen digital signature, which is used by cybercriminals to sign malware.
We got in touch with representatives of GlobalSign and the certificate was revoked.
We have been detecting installations of Trojan-Banker.Win32.BifitAgent on machines that are part of botnets created using such malware as Trojan.Win32.DNSChanger, Backdoor.Win32.Shiz, Virus.Win32.Sality etc. No distribution via exploits has been detected.
It can be surmised from the selectiveness of infections that cybercriminals ‘sell’ infected computers on which the use of BIFIT banking systems have been detected to other cybercriminals who install Trojan-Banker.Win32.BifitAgent on such machines.
According to KSN data, about 100 Kaspersky Lab users have been attacked by the malware since the beginning of April. It should be noted that the number of attacks per user is growing daily.
To summarize, the cybercriminals take advantage of the malicious program’s architecture, the stolen certificate and the targeted nature of the attacks to gradually increase the number of infected users. This translates to growing amounts in the cybercriminals’ bank accounts.
Leave a reply