The Tiny Banker Trojan is spread by email attachments.
Tiny Banker aka Tinba Trojan made a name for itself targeting banking customers worldwide. The Avast Virus Lab first analyzed the malware found in the Czech Republic reported in this blog post, Tinybanker Trojan targets banking customers. It didn’t take long for the malware to spread globally attacking customers from various banking behemoths such as Bank of America, Wells Fargo, and RBC Royal Bank, which we wrote about in Tiny Banker Trojan targets customers of major banks worldwide.
This time we will write about a campaign targeting customers of Polish financial institutions. The Trojan is spread by email attachments pretending to be pictures. The examples of email headers are shown in the following image.
In fact, there are executable files in the zip attachments - IMG-0084(JPEG).JPEG.exe, fotka 1.jpeg.exe. The interesting thing is that the binary looks almost like regular WinObj tool from Systernals, however there are differences: The original version of WinObj has a valid digital signature. The malware doesn’t have any.
Mid January we informed you of a data-stealing piece of Android malware called Fobus. Back then Fobus mainly targeted our users in Eastern Europe and Russia. Now, Fobus is also targeting our users in the USA, United Kingdom, Germany, Spain and other countries around the world.
Fobus can cost its unaware victims a lot of money, because it sends premium SMS, makes calls without the victims’ knowledge and can steal private information. More concerning is that Fobus also includes hidden features that can remove critical device protections. The app tricks users into granting it full control of the device and that is when this nasty piece of malware really begins to do its work. You can find some more technical details and analysis of Fobus in our previous blog post from January.
Today, we decided to look back and check on some of the data we gathered from Fobus during the last six months. We weren’t surprised to find out that this malware family is still active and spreading, infecting unaware visitors of unofficial Android app stores and malicious websites.
The interesting part of this malware is the use of server-side polymorphism, which we suspected was being used back in January but could not confirm. We have now confirmed that server-side polymorphism is being used by analyzing some of the samples in our database. Most of these have not only randomly-generated package names, but it also seems that they have randomly-generated signing certificates.
Malware authors like to play hide-and-seek. Hiding executable files inside PDFs and Microsoft Office documents then emailing them as attachments are nothing new, but sometimes one layer isn’t enough. This Avast Virus Lab analysis peels back the layers of a new threat.
Malware authors continually surprise us with their creativity. In an effort to trick banking customers into revealing the login credentials for their online account, cycbercrooks are using the trust people have in Microsoft Office to make them execute banking malware on their own computers. Here’s how it works:
Typically, spam emails contain executable files that can harm a victim’s computer and steal private information. In the layered version, they have PDFs or Microsoft Office documents attached that contain a malicious executable file. We recently found an email that had an added layer and decided to analyze the email.
The email, disguised as a financially-related message from a legitimate company, informed the recipient that an invoice was due and had a PDF file attached. Embedded inside the malicious PDF was a Microsoft Office document and simple java script that dropped and executed the DOC file.
Inside the DOC file we found malicious macro code, which users must activate, as the code is disabled by Microsoft Office by default. The code obfuscates DOC files by creating new documents with unique methods names, variable names, and URLs, making it difficult to detect the malicious files.
When we analyzed the malicious macro code, we found some hints that helped us with our analysis. In this sample it was a function called MICHEL.
We already knew this function would open the URL with the malicious file, and when we found this function in one of the modules, we were able to find the download path.
The address is stored as a GUADALUPE variable. The URL is unique for each sample and leads to the download of a malicious PE file.
The PE file would act as an information stealer, stealing login credentials from banking sites like
- Santander, whose principal market is in the Northeastern United States
- Ulster bank, based in Ireland
- From Google accounts
How to protect yourself from banking malware
Our number 1 recommendation is keep your security software updated. Avast streams hundreds of updates every day to your devices, so you will stay protected. For example, the executable file downloaded by the malicious Microsoft Office document belongs to a banker family evolved from infamous Zeus. This variant is also known as a Dridex Botnet. At the time of writing this post, the botnet is still active, but the malware itself is inactive. Avast detects it as Win32: Pierre-A.
Clever cybercrooks use social engineering to manipulate their victims. Use extreme caution when opening emails related to your finances until you can verify the legitimacy.
Samples related to this analysis:
Everyone from celebrities like Lena Dunham to Hugh Jackman are using the (currently) seventh most popular app available on Google Play: Dubsmash. Dubsmash is an app with more than 10 million Google Play installations that lets users choose a sound, record a video to go along with the sound and send their dub to their friends or social media channels. Dubsmash is not only widely popular amongst teens and celebs, but the app has also caught the attention of malware authors.
Avast recently discovered “Dubsmash 2” (with the package name “com.table.hockes”) on Google Play – and no, it was not the bigger and better version of the original app. The app is a so called “porn clicker” and was installed 100,000-500,000 times from the Google Play Store. We contacted Google when we discovered the rogue app and it was removed from the Play Store shortly thereafter. Once the app was installed there was no evidence of an app named “Dubsmash 2” on the user’s device, instead the app installed an app icon named “Setting IS”. This is a common trick malware authors use to make it harder for the user to figure out which app is causing problems. This should also be the user’s first clue that something shady is going on. The “Settings IS” icon looked very similar to the actual Android Settings icon (see screenshot below).
The app’s mischievous activities could be triggered by two actions. The first possible way was by simply launching the “Settings IS” app and the second, which occurred only if the user had not yet launched the app, was via the BroadcastReceiver component within the app. BroadcastReceiver observed the device’s Internet connectivity and if the BroadcastReceiver noticed the device was connected to the Internet, the app’s true functions would be triggered.
If the “Settings IS” app was opened by the user, the Google Play Store would launch to the actual “Dubsmash” app download page.
Once activated, the app sent an HTTP GET request to an encrypted URL. If the request returned a string containing the character “1” two services would begin to work: MyService and Streaming. Using this method the author could also effectively turn off the start of the services remotely.
The second service, the Streaming service, was fairly similar in structure to the MyService component in that it also scheduled a task to run every 60 seconds. The main difference to MyService, is that users could notice the Service tasks did not run secretly in the background. The task would check for changes in the device’s IP address or date. If either of them had changed, a video would launch in the device’s YouTube app. The YouTube app needed to be installed on the device for this to function properly. The video address was also obtained from an encrypted URL.
After decrypting and further examining the URLs and the video from YouTube, the Avast Virus Lab came to the conclusion that the malware most likely originated from Turkey. The developer’s name listed on Google Play and YouTube hint to this.
We suspect the app developer used the porn clicker method for financial gain. Through clicks on multiple ads within the porn sites, the app developer probably received pay-per-click earnings from advertisers who thought he was displaying their ads on websites for people to actually see.
Despite being undesirable, but basically harmless to the user and less sophisticated than other malware families such as Fobus or Simplocker, this app shows that although there are safeguards in place, undesirable apps that fool users can still slip into the Google Play store.
If you installed Dubsmash 2 (package name “com.table.hockes”), you can delete the app by going into Settings -> Apps -> find “Settings IS” and then uninstall the app.
The Avast Mobile Security application detects this threat as Android:Clicker. SHA-256 hash: de98363968182c27879aa6bdd9a499e30c6beffcc10371c90af2edc32350fac4
Thank you Nikolaos Chrysaidos for your help with the analysis
Would you rather trust the virus experts or your instincts?
Every day 140,000 people connect their USB flash drive or mobile phone to a computer, and get a warning from Avast about an infection called LNK:Jenxcus.
Which kind of person are you?
Many of them act on that information from their trusted Avast Antivirus security software and as a result, they scan their USB device for malware and they wipe it away. Crisis over.
But there is another group of people who keep this infection alive and active, because they refuse to believe it is a real or dangerous threat. In other words, because something has always been one way, they assume it can’t change, therefore Avast must be wrong.
As a result, they decide to turn off their antivirus shield and by doing so, they create an obstacle-free way for malware to enslave their computer and steal data or valuable computing time.
A perfectly good reason. Or is it?
One of the most frequent reasons people use for disabling shields and allowing malware to spread in their computer is
“I use this file all the time and it is safe.”
Another variation is,
“I created this file, it’s only a picture.”
Do you find this situation familiar? Are you guilty of over-riding the security software you installed to protect yourself?
If your answer is yes, then test your virus detection knowledge with the image below. There are two screenshots of a directory from a USB stick; one is infected and the other is clean. Can you tell the difference?
It’s difficult to tell, isn’t it?
The one on the left is infected. The most visible differences are on the icons, but there is another clue in the file types. Some files and directories on the left side changed their type into a shortcut. This happened because a malicious script installed itself onto a USB drive and replaced legitimate files with links. If the owner of the USB opens the directory Firm Accounting, for example, he executes malware that in the end opens the real Firm Accounting directory, so it looks like everything is normal. But it is not, because in the background all the computer’s drives are getting infected over and over again.
Avast detects LNK:Jenxcus and warns you.
The trick is; you have to heed the warning.
Source of infection
Except from other infected drives, this malware is downloaded onto your computer from hacked websites. The screenshot below shows an example of a hacked website waiting for random users with a vulnerable internet browser. Can you tell the difference this time?
If you answered no, you are absolutely right, because for the normal user there is no visible change. That is probably the reason for another frequent excuse before disabling the shields,
“I visit this page every day. It doesn’t have malware.”
That’s just not good enough, because the fact that the page is clean most of the time, does not mean it is not vulnerable to attacks. In fact most small and medium-sized business (SMB) pages have some exploitable vulnerability and when they get targeted by exploit kit authors, your best chance to stay safe are updated applications and active antivirus. With the shields ON!
If you are comfortable with computers, then you may want to clean this infection manually. Start with your computer and look for links (.lnk) and visual basic script (.vbs .vba .vbe) or batch files (.bat). Links usually point to this hidden script files so it is not hard to find them. If you wonder where the original files are, you can find this information in links too. They were not moved in most cases, just marked as hidden so they are not visible on computers with standard configuration. When you are sure all hard drives are clean, it is time to go through all your removable ones and go through the same procedure.
An easier way to clean an infection is by using a good cleaning tool. If you need help searching for such tool, visit our Avast forum and read what others do in your situation, or ask nicely for help from Evangelists, who dedicate their free time to helping users and researching security problems.
Suspect a false positive?
If you think it’s a false positive, do a little checking first. The Avast forum is a good place to start. You can read about LNK:Jenxcus, or you can start a new thread with your own question. If you are still convinced that you have a false positive, then please report it so the Avast Virus Lab can determine how/why it’s detected,. This video tells you how,
Wi-Fi and encryption
Data transmitted over a wireless network can be either unencrypted or encrypted. While both options are available to users, the use of open, unprotected Wi-Fi networks has become increasingly popular across the globe. In the case of open wireless networks, the transmitted data are unencrypted and might be visible to others, as is shown in the screenshot below. To resolve this issue, many wireless networks use password protection. However, the method and strength of these passwords matter: if a weak encryption method, such as WEP, is used, an attacker can simply crack the password and decrypt the device’s communication. Hence, the use of a strong encryption such as WPA/WPA2 is suggested. The length of a password is another important factor to its strength — a strongly encrypted communication with a short key length can still be cracked by hackers within a short amount of time. Because of this, a key length of longer than 8 characters is strongly recommended.
(Figure 1: List of available wireless networks featuring both encrypted and unencrypted options.)
In June 2014, we told you about mobile ransomware called Simplocker that actually encrypted files (before Simplocker, mobile ransomware only claimed to encrypt files to scare users into paying). Simplocker infected more than 20,000 unique users, locking Android devices and encrypting files located in the external storage. Then, it asked victims to pay a ransom in order to “free” the hijacked device. It was easy to decrypt the files affected by this variant of Simplocker, because the decryption key was hardcoded inside the malware and was not unique for each affected device.
Dangerous unique keys
But now there is a new, more sophisticated variant of Simplocker in town that has already infected more than 5,000 unique users within days of being discovered. The reason why this variant is more dangerous than its predecessor is that it generates unique keys for each infected device, making it harder to decrypt infected devices.
To use an analogy, the original variant of Simplocker used a “master key” to lock devices, which made it possible for us to provide a “copy of the master key” (in the form of an app, Avast Ransomware Removal) to unlock already infected devices. The new variant however, locks each device with a “different key” which makes it impossible to provide a solution that can unlock each infected device, because that would require us to “make copies” of all the different “keys”.
Why would anybody install Simplocker?!
The reason why people install this new variant of Simplocker is because it goes undercover, meaning people don’t even realize that what they are installing is ransomware!
In this case, the new variant of Simplocker uses the alias “Flash Player” and hides in malicious ads that are hosted on shady sites. These ads mostly “alert” users that they need Flash Player installed in order to watch videos. When the ad is clicked on, the malicious app gets downloaded, notifying the user to install the alleged Flash Player app. Android, by default, blocks apps from unofficial markets from being installed, which is why users are notified that the install is being blocked for security reasons.
Users should listen to Android’s advice. However, users can go into their settings to deactivate the block and download apps from unknown sources. Once installed, a “Flash Player” app icon appears on the device and when it is opened the “Flash Player” requests the user grant it administrator rights, which is when the trouble really begins.
As soon as the app is granted administrator rights, the malware uses social engineering to deceive the user into paying ransom to unlock the device and decrypt the files it encrypted. The app claims to be the FBI, warning the user that they have found suspicious files, violating copyright laws demanding the user pay a $200 fine to decrypt their files.
What should I do if I have been infected?
We do NOT recommend you pay the ransom. Giving into these tactics makes malware authors believe they are succeeding and encourages them to continue.
If you have been infected by this new strain of Simplocker, back up the encrypted files by connecting your smartphone to your computer. This will not harm your computer, but you may have to wait until a solution to decrypt these files has been found. Then boot your phone into safe mode, go into the administrator settings and remove the malicious app and uninstall the app from the application manager.
Avast protects users against Simplocker
Avast Mobile Security protects users against both the old and new variant of Simplocker, the new variant is detected as: Android:Simplocker-AA.
A more technical look under the hood:
As the fake FBI warning is being shown to users, the malware continues working in the background, doing the following: Read more…
One small Android application shows lots of determination and persistence. Too bad it’s evil.
The year 2014 was significant with a huge rise in mobile malware. One of the families impacting our users was malware Fobus, also known as Podec. This malware poses as a more or less useful application, but for sure it won’t be what the user expects. This malware usually has two language versions, English and Russian, and applications seem to be generated automatically.
All that, and a bag of chips
From the permissions in the manifest, we can see that once Fobus is installed on the victim’s device it cannot only send SMS and call premium numbers, which may cost a lot of money, but it also works as Spyware and can steal personal data from the infected device. That’s a lot of bad stuff packed into one small application.
Next up is a bit more technical stuff. If you are really eager, skip to Me thinks that something is amiss section to see how it works. Read more…
At the end of September 2014, a new threat for the Linux operating system dubbed XOR.DDoS forming a botnet for distributed denial-of-service attacks was reported by the MalwareMustDie! group. The post mentioned the initial intrusion of SSH connection, static properties of related Linux executable and encryption methods used. Later, we realized that the installation process is customized to a victim’s Linux environment for the sake of running an additional rootkit component. In this blog post, we will describe the installation steps, the rootkit itself, and the communication protocol for getting attack commands.
Installation Script & Infection Vector
The infection starts by an attempt to brute force SSH login credentials of the root user. If successful, attackers gain access to the compromised machine, then install the Trojan usually via a shell script. The script contains procedures like main, check, compiler, uncompress, setup, generate, upload, checkbuild, etc. and variables like __host_32__, __host_64__, __kernel__, __remote__, etc. The main procedure decrypts and selects the C&C server based on the architecture of the system.
In the requests below, iid parameter is the MD5 hash of the name of the kernel version. The script first lists all the modules running on the current system by the command lsmod. Then it takes the last one and extracts its name and the parameter vermagic. In one of our cases, the testing environment runs under “3.8.0-19-generic\ SMP\ mod_unload\ modversions\ 686\ “, which has the MD5 hash equal to CE74BF62ACFE944B2167248DD0674977. Read more…
South Korean banks have been attacked by hackers again!
This is not the first time we reported malware which targets Korean banking customers. In the past, we wrote about Chinese threats against Korean Windows users and last year we published a series of blogposts, Fake Korean bank applications for Android (part 1, part 2, part 3), about malware targeting mobile platforms.
The Korean banking malware is based on the same principle previously used. The customer executes the infected binary, which modifies Windows hosts file. This file contains a list of domains with assigned IP addresses. Malware, however, may modify this file. When a customer wants to visit his online bank website, he is redirected to the IP address specified in the hosts file, not to the original bank website!
The piece of malware we will discuss in this blog post performs the above mentioned modification of system settings. However, when we looked into the modified hosts file, we noticed something unusual.