South Korean Financial Companies Targeted by Castov

The financial malware landscape is constantly evolving, cybercriminals are becoming more knowledgeable about the financial sector, and attacks are becoming more sophisticated. We’ve recently released a report, “The World of Financial Trojans,” describing the different features and techniques used by banking malware. It would seem that the choices made by the malware authors concerning these techniques and features depend on the cybercriminals’ financial resources and market knowledge.

In most cases financial malware favors exploit kits as their infection vector. In the past few months we have been actively monitoring an exploit kit, called Gongda, which is mainly targeting South Korea. Interestingly, we have come across a piece of malware, known as Castov, being delivered by this exploit kit that targets specific South Korean financial companies and their customers. The cybercriminals in this case have done their research on the South Korean online financial landscape.

Figure 1. Heatmap of Gongda IPS detections for May 2013 (98% of hits are in South Korea)

The initial stage of this threat is Downloader.Castov and is compiled in Delphi with the ability to stop antivrius software which, once inside a computer, will report the infection to its command-and-control (C&C) server and download an encrypted file that is the second stage.

The second stage is Infostealer.Castov. The infostealer checks at specific offsets in a list of clean DLLs (all related to Korean online banking software and security) for opcode instructions and then patches those instructions. The injected code checks strings that appear to be passwords, account details, and transactions. Once the data is found and collected, it will be sent to a remote server.

Castov table_0.png

Table 1. Targeted DLLs and actions taken

Additionally, the infostealer collects the digital certificates stored in the compromised computer’s NPKI directory (%ProgramFiles%\NPKI). Those digital certificates are widely used in South Korea and are issued for financial general purposes (individual/corporate) such as banking, credit card, insurance etc. They are unique to each user and are valid for one year.

The combination of screenshots, passwords, and digital certificates will allow the cybercriminals to access users’ financial accounts.


Figure 2. Heatmap of Castov antivirus detection from January to May 2013

Symantec has the following protection in place for both Castov and Gongda:

Antivirus protection:

Intrusion prevention protection:

To ensure the best protection, we recommend you use the latest Symantec Technologies and up to date antivirus definitions.

Critical Ruby on Rails bug exploited in wild, hacked servers join botnet

Attackers are exploiting an extremely critical vulnerability in the Ruby on Rails framework to commandeer servers and make them part of a malicious network of hacked machines, a security researcher said.

Ars first warned of the threat in early January, shortly after Rails maintainers issued a patch for the vulnerability. Ars warned at the time that the vulnerability gave attackers the ability to remotely execute malicious code on underlying servers. Criminals' success in exploiting the bug to make vulnerable machines join a botnet suggests that many server administrators still haven't installed the critical update more than four months after it was issued.

Servers that have been exploited are infected with software that caused them to join an Internet Relay Chat (IRC) channel on one of at least two servers, security researcher Jeff Jarmoc said in a post published Tuesday to his personal website. Attackers can force servers to download and execute malicious code and join new IRC channels from there. The channels required no authentication to be accessed, making it possible for competing attackers to infiltrate the chat room and take control of the compromised servers. IRC-based botnets harken back to the earlier days of computer crime because they made it easy for "script kiddies," or relatively unskilled hackers, to control huge numbers of infected machines in lock step, using a handful of pre-programmed commands.

Read 7 remaining paragraphs | Comments

Apple Releases Security Updates for Apple QuickTime 7.7.4

Original release date: May 28, 2013

Apple has released security updates for Apple QuickTime 7.7.4 for Windows 7, Vista,  and XP SP2 or later to address multiple vulnerabilities. These vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Apple Support Article HT5770 and follow best-practice security policies to determine if their organization is affected and the appropriate response.

This product is provided subject to this Notification and this Privacy & Use policy.