Financial Trojans’ Persistent Attacks on the Japanese Internet Community

In recent years, the Japanese Internet community has faced difficult times trying to combat financial Trojans such as SpyEye (Trojan.Spyeye) and Zeus (Trojan.Zbot). The number of victims affected and the amount of funds withdrawn from bank accounts due to compromises is increasing at an alarming rate. Just to give you an idea, according to the Japanese National Police Agency, the number of reported illegal Internet banking withdrawals jumped from 64 incidents in 2012 to 1,315 incidents in 2013. The loss in savings amounted to approximately 1.4 billion yen (US$ 14 million) in 2013, up from 48 million yen (US$ 480,000) in 2012.

More recently, the nation has also discovered that multiple malware families dedicated to stealing banking details from Japanese users are being developed. Recently, we have seen the development of  Infostealer.Ayufos, Infostealer.Torpplar, as well as Infostealer.Bankeiya. Today, we are going to take a closer look at Infostealer.Bankeiya.

We became interested in this Trojan when we observed a widespread attack exploiting the Internet Explorer Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2014-0322) in February, which we published a blog on. At the time, there was no patch available for the vulnerability, which left users of Internet Explorer 9 and 10 insecure. The  Infostealer.Bankeiya developer decided to take advantage of the situation and compromised various legitimate websites in order to perform drive-by-download attacks. Even after the patch was released on March 11, the aggressive attacks continued. These legitimate sites include commonly visited websites such as a Japanese tour provider, TV channel site, and a lottery site as well as a handful of small sites including online shops, community websites, and personal websites, among others.

After further investigating the malware, we noticed that this was not a new family of malware. The very first variant was actually discovered in October 2013 and a large number of variants have been observed since. The sole purpose of Infostealer.Bankeiya is to steal banking details from  compromised computers. Besides using the Internet Explorer vulnerability, we have also confirmed that the Oracle Java SE Remote Code Execution Vulnerability (CVE-2013-2463) is also being exploited to infect systems with Infostealer.Bankeiya. Other vulnerabilities could also be exploited.

A typical Infostealer.Bankeiya attack works like this:

  1. The attacker compromises a legitimate website to host exploit code on the site in order to infect visitors’ computers.
  2. If someone with a computer vulnerable to the exploit visits the site, the system becomes infected with Infostealer.Bankeiya.
  3. The malware uploads details about the compromised computer including the IP address, Mac address, OS version, and the name of security software installed.
  4. The malware downloads encrypted configuration data which specifies the location of its updated version from either:
    1. A profile on a blog page solely created to host the encrypted data
    2. A specified URL on a compromised website
  5. If an update is found, the malware will download the new version and replace itself with it. This version may contain information about the location of a new command-and-control (C&C) server.
  6. If a victim logs onto  the targeted bank’s online site, the malware will display a fake pop-up window in order trick the victim into entering banking details.
  7. The banking details entered by the victim will be sent to the C&C server and stored for the attacker to retrieve.

Figure 1. Login page for Infostealer.Bankeiya command-and-control server

Symantec sinkholed known C&C servers to prevent the malware on the compromised computers from transmitting any further data to the attacker. We also monitored the servers by logging the accesses made by the victims’ computers in order to estimate how successful the attacks had been. We did this for a week in mid-March and the results indicate that up to 20,000 computers could have been compromised. A majority of accesses were coming from Japanese IP addresses. This is not surprising, but the sheer volume is a bit alarming. Please note that the following figure is based on the number of devices on the Internet accessing the servers and some devices were removed because they were non-infected systems.

Figure 2. Devices accessing the command-and-control servers

According to the sinkhole data, the second largest number of hits came from Hong Kong. This is also in line with the figure we provided in our previous blog about computers targeted with the CVE-2014-0322 exploit code. There is a reason for this. During our investigation we also noticed a connection with another type of attack that uses files to mine for bitcoins. One particular attack targeted users visiting a compromised forum site in Hong Kong. In this case, the CVE-2014-0322 exploit code was used to download and execute bitcoin miner software called jhProtominer on the victim’s computer in order to abuse the computer’s hardware to mine for the virtual coin. The attacker appears to be motivated enough to target different audiences across borders and is looking for any type of opportunity to make a profit.

Many malware infections occur as a result of visiting legitimate sites that have been compromised. It is vital that all software products are frequently updated so that the most recent patches are applied. In some cases, a patch will not be available, as was the case for one of the vulnerabilities used by Infostealer.Bankeiya. Security software can be used to strengthen the computer’s security status in such cases. So we urge you to install security software and keep it up-to-date. By following these recommendations, most infections can be prevented.