A banking trojan is targeting Japanese internet banking users and spreading through at least two vulnerabilities: a Flash vulnerability leaked in the HackingTeam hack and the so-called unicorn bug, a vulnerability in Internet Explorer discovered in late 2014. Both exploits are (still) distributed through an adult website and try to install a signed malicious binary designed to steal personal information from the victim. The spreading mechanism reminds us of another banking trojan specifically targeting Japanese financial institutions, Win32/Aibatook.
Infection
When a user visits the malicious adult website, he is exposed to an exploit targeting either Internet Explorer (CVE-2014-6332) or Flash Player (CVE-2015-5119). The cybercriminals are thus using two widely known, weaponized vulnerabilities. This is yet another reminder that software we routinely use should always be kept up-to-date and patched. A proof-of-concept code for the vulnerability affecting Internet Explorer has been available for quite some time; this campaign is reusing a slightly modified version of it. As for the Flash vulnerability, a working exploit was released publicly earlier this year during the analysis of the Hacking Team leak. Although these vulnerabilities have already been included in major exploit kits, we do not believe that any known exploit kit is used in this campaign. The exploit itself was easy to analyze as no additional obfuscation layer was added, as is customary with exploits used in popular exploit kits. As can be seen in the screenshot below, it appears the adult website attempting to compromise users is in fact just scraping videos from another, legitimate, adult website.
Target
The main payload will download two configuration files. The first one contains a list of 88 Japanese internet banking URLs that are monitored by the trojan, while the second contains the accompanying browser window names. Win32/Brolux.A is a simple trojan monitoring whether the user is visiting one of the targeted Japanese internet banking website. It supports Internet Explorer, Firefox and Chrome browsers. If the user is browsing the web with IE, Win32/Brolux.A will fetch the current URL in the address bar and then compare it to the list in the first configuration file. If Firefox or Chrome is used, it will instead compare the window’s title with the list obtained in the second configuration file. If there is a match, it will spawn a new IE process, pointing to a phishing page.
The phishing page asks for login information as well as answers to security questions. The page tries to use two trusted institutions in Japan: the Public Prosecutors Office and the Financial Services Agency (FSA). The URL mimics both institutions while the page’s content refer to the FSA.
Comments
Post a Comment