Jump to content
Nytro

“Bank of America” Malware: An In-Depth Analysis

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

“Bank of America” Malware: An In-Depth Analysis

Posted by ThreatTrack Security Labs

On August 20, 2013

Editor’s Note: Reginald Wong is a Heuristic Detection Supervisor in one of ThreatTrack Security’s research labs. He has been in the security industry for more than a decade.

Bank of America remains one of the largest and most well-known name in banking in the Americas. It has also remained one of the brands most used by spammers and phishers, along with Wells Fargo, JP Morgan Chase and Citi Bank.

Year after year, spammers and phishers have been practicing the same method of luring unknowing recipients into opening their malicious attachments—therefore, successfully infecting their computers if their devices were not properly secured—or giving out essential information about themselves like user names and passwords.

We see BoA spam in our Inbox or Spam mail folders every once in a while, whether we’re actual clients of the said bank or not. But have you ever been curious as to what a BoA malware looks like on the inside? Or what this malware would actually do on your system if you have fallen for the spam’s claims and opened the file? To answer these questions, and perhaps more, we fished out one of the latest spam samples we have in our honeypots to dissect its malicious attachment.

Overview: Spam and Attachment

This particular fake BoA mail that is spammed in the wild pretends to notify recipients that the sender has sent them instructions on how to create a password to open the bank’s supposed “secure e-mail”.

01-sample-BoA-spam-wm-300x254.jpg

From: Marion.Palmer
To: {random}
Subject: Instructions Secured E-mail.pdf
Message body:
I will forward the application through a secure e-mail. Attached are instructions for you to create a password to open the secure e-mail from us. Just a bit of security for when we transmit confidential information.

Thanks,

Marion.Palmer
Bank of America
Principal Business Relationship Manager
Direct – 915-163-8526 office
Cell – 915-092-0252 cell
Marrion(dot)Palmer@bankofamerica(dot)com

{disclaimer}

The attachment is a ZIP-compressed file with the name Secured E-mail.zip, which actually contains the executable (.EXE) file, Instructions Secured E-mail.exe, which has the icon of a legitimate Adobe PDF file.

02-icon.png

Notable details about this file show no program name nor company name. Legitimate files usually have these basic information.

03-file-details.png

Now Comes the Technical Part

Once users open the fake PDF file, naturally executing the malware, it begins to decrypt a couple of data into newly allocated memory spaces that contain codes that dynamically imports API for use in its later process. This initially results to these APIs:

04.jpg

Let me just mention that notable bugs can be seen when attempting to import more APIs. Simple string decryption is also incomplete.

05-assembly-code.jpg

Anyway, embedded into the file is an encrypted PE file (93,696 Bytes). It allocates memory space for this file and decrypts it there.

06-assembly-code.jpg

It then replaces the entire running malware with this new PE file by copying data (such as the below list) from it section by section:

  1. Use VirtualProtect API to replace memory protection with WRITE access.
  2. Copy binary codes and data of the section based on the virtual size indicated in the PE section headers.
  3. Restore the memory protection.

07-assembly-code.jpg

It then dynamically imports the APIs indicated in the new PE’s import section table, which results to the following APIs:

08-cpu-dump-2.jpg

Since the running process has been replaced by a new PE files, some information in its Process Environment Block, such as the entry point and the image base, are changed.

09-assembly-code.jpg

Finally, it returns back to the modified process, starting at the entry point.

10-assembly-code.jpg

Still Fareit

We did a simple binary comparison and have determined that this malicious attachment is a variant of the Fareit malware, a family of Trojan information stealers. After further digging, we have unearthed other facts about this variant:

  • Copies and possible updates of itself can be downloaded from the following URLs:11-malware-dl-site.jpg
  • Stolen information are sent to / Updates are received from the following server sites:
    12-servers-where-stolen-info-go-edited.jpg
  • It uses the following list of passwords to force itself into accounts:
    13-password-edited.jpg
  • It steals stored credentials from different applications, mostly from FTP clients. Below are its list of targets:
    • Common System Information
    • FAR/FAR2/FAR3 built-in ftp client
    • Windows/Total Commander built-in ftp client
    • Ipswitch WS_FTP client
    • CuteFTP
    • FlashFXP
    • FileZilla
    • FTP Commander
    • BulletProof FTP
    • SmartFTP 2.x-4.x
    • TurboFTP
    • FFFTP
    • CoffeeCupFTP
    • CoreFTP
    • FTP Explorer
    • Frigate3 FTP
    • SecureFX 6.6
    • UltraFXP 1.7
    • FTPRush 2.1.4, 2.1.5
    • WebSitePublisher 2.1.5
    • BitKinex 3.2.3
    • ExpanDrive 1.8.4
    • ClassicFTP 2.14
    • Fling 2.23
    • SoftX 3.3
    • Directory Opus 9.5.6.0.3937 (64-bit)
    • CoffeeCup FreeFTP 4.3 / DirectFTP
    • LeapFTP 2.6.2.470, 3.1.0.50
    • WinSCP 4.3.2 (Build 1201)
    • 32bit FTP 11.07.01
    • NetDrive 1.2.0.4
    • WebDrive 9.16 (build 2385) 64-bit
    • FTP Control 4.5.0.0
    • Opera 6.x – 11.x
    • WiseFTP 1.x – 7.x
    • FTP Voyager 11.x-15.x
    • Mozilla Firefox 0.x-5.x
    • Mozilla Firefox FireFTP add-on
    • Mozilla SeaMonkey 1.x-2.x
    • Mozilla Flock 1.x-2.x
    • Mozilla Suite Browser 1.x
    • LeechFTP 1.3
    • Odin Secure FTP Expert
    • WinFTP
    • FTP Surfer 1.0.7
    • FTPGetter 3
    • ALFTP 5
    • IE 4-9
    • Dreamweaver CS5
    • DeluxeFTP 6
    • Google Chrome
    • Chromium & SRWare Iron
    • ChromePlus
    • Bromium (Yandex Chrome)
    • Nichrome
    • Comodo Dragon
    • RockMelt
    • K-Meleon
    • Epic
    • StaffFTP
    • AceFTP 3
    • Global Downloader
    • FreshFTP
    • BlazeFTP
    • NetFile
    • GoFTP
    • 3D-FTP
    • EasyFTP
    • XFTP
    • RDP (Windows Remote Desktop Connections)
    • FTP Now
    • Robo-FTP
    • Certificate Grabber
    • LinasFTP
    • Cyberduck
    • Putty (Russian version)
    • Notepad++ (NppFTP plugin)
    • CoffeeCup Visual Site Designer
    • FTPShell
    • FTPInfo
    • NexusFile
    • FastStone Browser
    • CoolNovo
    • WinZip (built-in FTP backup settings)
    • Yandex.Internet
    • MyFTP
    • sherrod FTP
    • NovaFTP
    • Common Windows Mail decryption code
    • Windows Live Mail
    • Windows Mail
    • Becky!
    • Pocomail
    • IncrediMail
    • The Bat!
    • Outlook
    • Thunderbird
    • FastTrackFTP

Fareit has been around for two years now, and we have reason to believe that it continues to steal the same stored credentials from the above target applications. It is a sophisticated malware, and the criminals behind it have been making it sure that its variants remain behind scanners by constantly applying different techniques, like code obfuscation and encryption, to cover the real code beneath. This, in turn, also makes it quite a challenge for researchers to probe deeper.

Reginald Wong

Sursa: “Bank of America” Malware: An In-Depth Analysis

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...