Target List of Hesper-BOT Malware
2 likes3,088 views
This document summarizes technical analysis of the Hesper/BOT malware targeting Russian and other European banks. It identifies common command and control domains and IP addresses the malware communicates with, and lists over 200 bank names that are targeted by the malware in its attempts to steal login credentials. Technical details provided include ASN and geo-location information for IP addresses and domains used in the attacks.
Target List of Hesper-BOT Malware
- 1. This%research%article%is%a%short%technical%publication%focused%on%technical%approach%used%from%attackers.% % Target'List'of'Hesper/BOT'Malware' Page%1% % Target'List'of'Hesper/BOT$Malware' Targeting%Russian%Banks.% ABSTRACT' In%the%middle%of%August%we%discovered%a%malware? spreading% campaign% in% the% Czech% Republic.% Our% interest% was% first% kindled% by% the% site% that% the% malware% was% hosted% on% –% a% domain% that% passed% itself%off%as%belonging%to%the%Czech%Postal%Service%–% but%more%interesting%findings%followed.% Analysis% of% the% threat% revealed% that% we% were% dealing% with% a% banking% trojan,% with% similar% functionality% and% identical% goals% to% the% infamous% Zeus% and% SpyEye,% but% significant% implementation% differences% indicated% that% this% is% a% new% malware% family,%not%a%variant%of%a%previously%known%trojan.% Despite%being%a%“new%kid%on%the%block”,%it%appears%that% Win32/Spy.Hesperbot%is%a%very%potent%banking% trojan%which%features%common%functionalities,%such%as%keystroke%logging,%creation%of%screenshots%and%video% capture,%and%setting%up%a%remote%proxy,%but%also%includes%some%more%advanced%tricks,%such%as%creating%a% hidden% VNC% server% on% the% infected% system.% And% of% course% the% banking% trojan% feature% list% wouldn’t% be% complete%without%network%traffic%interception%and%HTML%injection%capabilities.%Win32/Spy.Hesperbot%does% all%this%in%quite%a%sophisticated%manner.% When%comparing%the%Czech%sample%to%known%malware%in%our%collection,%we%discovered%that%we%had%already% been% detecting% earlier% variants% generically% as% Win32/Agent.UXO% for% some% time% and% that% online% banking% users%in%the%Czech%Republic%weren’t%the%only%ones%targeted%by%this%malware.%Banking%institutions%in%Turkey% and%Portugal%were%also%being%targeted.% The%aim%of%the%attackers%is%to%obtain%login%credentials%giving%access%to%the%victim’s%bank%account%and%to%get% them%to%install%a%mobile%component%of%the%malware%on%their%Symbian,%Blackberry%or%Android%phone.%Keep% reading% for% details% on% the% malware% spreading% campaigns,% their% targets% and% for% technical% details% on% the% trojan.% %Source:%http://www.eset.com% % % % % % % %
- 2. This%research%article%is%a%short%technical%publication%focused%on%technical%approach%used%from%attackers.% % Target'List'of'Hesper/BOT'Malware' Page%2% % WEB'INJECT'ANALAYSES'' Our%research%analyses%of%the%web%inject%script%used%from%malware,%reveals%this%hostnames%that%malware%is% communicating.% % % ! ! ! ! ! ! ! ! Figure!1:!C&C!Diagram! % % ntttwindow.zSysDomain%=%'https://gvapp.ru';% %ntttwindow.zSysDomain%=%'http://qcdykbgkjr.ru'; %%nttwindow.zSecSrvU='https://qvvvkmhfye.ru';%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Figure!2:!C&C!Host!Names! % % HTTP://QCDYKBGKJR.RU'C&C'DETAILS' IP'Address'details'and'Geo/location' Base Record Name IP Number Routes AS Location qcdykbgkjr.ru A qcdykbgkjr.ru 88 208 29 81 88.208.28.0/23 Hosting Segment ADVANCEDHOSTERS-NET ADVANCEDHOSTERS LIMITED AS39572 ADVANCEDHOSTERS- AS ADVANCEDHOSTERS LIMIT Amsterdam, Netherlands 192 243 63 237 192.243.48.0/20 ADVANCEDHOSTERS ADVANCEDHOSTERS-NET Roseau, Dominica c vvv 4766090 pix-cdn org Figure!3:!Displays!various!information!related!to!AS,!BGP,!Routes!and!Location! InjectedScript% haps://gvapp.ru% hap://qcdykbgkjr.ru% /pjs/% 9272.js% hap:// upd0307.mkfqoflxdw.ru% hap://fcgfztawcr.ru/ adb/% hap://mwrkaggcjd.ru/ hlog% hap://btvtdwzkai.ru/ alg/index3.php% haps://qvvvkmhfye.ru%
- 10. This%research%article%is%a%short%technical%publication%focused%on%technical%approach%used%from%attackers.% % Target'List'of'Hesper/BOT'Malware' Page%10% % "ubs.com"%: "invb.ru"%: "jugra.ru"%: "urb.ru"%: "ymkbank.ru"%: "ucb.az"%: "unexbank.com.ua"%: "uniastrum.ru"%: "unibank.az"%: "unibank.am"%: "unicorbank.ru"%: "unicreditbank.ru"%: "unicreditbank.lv"%: "unicreditbank.lt"%: "unicreditbank.ee"%: "unisonbank.com.ua"%: "unistream.ru"%: "money.yandex.ru"%: "ykb.ru"%: "yapikredi.com.az"%: "yarbank.ru"%: "yarinterbank.ru"%: "yarosbank.ru"%:%1 }; % ' END'POINT'PROTECTION' Updated%antivirus%and%activated%firewalls.% ' NETWORK'PROTECTION' IP%reputation%and%firewall%filter%for%the%following%IP%addresses.% 88.208.5.186 192.243.63.54 192.243.63.237 88.208.29.81 88 208 7 208 CONCLUSIONE' The%attack%is%alive%and%the%amount%of%the%targeted%banks%is%very%large,%the%C&C%networked%servers%have% more%entry%points%making%them%redundant%against%the%takedowns.% STATISTICS' The%analyzed%sample%has%more%than%1450%bank%hostname’s.% ' ABOUT'the'RESEARCHERS' Senad'Aruc' Multiple% Certified% ISMS% Professional% with% 10?year% background% in:% IT% Security,% IDS% and% IPS,% SIEM,% SOC,% Network% Forensics,% Malware% Analyses,% ISMS% and% RISK,% Ethical% Hacking,% Vulnerability% Management,% Anti% Fraud% and% Cyber% Security.% Currently% holding% a% Senior% Security% Specialist% position% at% Reply% s.p.a% ?% Communication%Valley%?%Security%Operations%Center.%Responsible%for%advanced%security%operations.%%% EPMail:!senad.aruc@gmail.com! Blog:!www.senadaruc.com! Twitter:!https://twitter.com/senadaruch! LinkedIn:!https://www.linkedin.com/in/senadaruc
- 11. This%research%article%is%a%short%technical%publication%focused%on%technical%approach%used%from%attackers.% % Target'List'of'Hesper/BOT'Malware' Page%11% % Davide'Cioccia' MSc% Computer% Engineering% Degree.% Security% Developer% focused% on% Cyber% Security% Intelligence,% Malware% analysis,%Anti?fraud%systems.%Microsoft%certified.%Currently%holding%a%Security%Consultant%position%at%Reply% s.p.a%?%Communication%Valley%?%Security%Operations%Center.% EPMail:!mailto:davide.cioccia@live.it! Twitter:!https://twitter.com/david107! LinkedIn:!https://www.linkedin.com/in/davidecioccia Gianluigi'Sisto Security%professional%with%15+%years%of%combined%experience%as%security%tester,%fraud%expert%and%security% data% analyst.Strong% background% in:% Antifraud% solution,% Malware% Analysis,% Security% Assessment,% Project% Management,% Risk% Assessment,% SOC,% IDS% ,% IPS,% System% Administrator.% I% am% currently% employed% in% Communication%Valley%BU%of%Security%Reply%where%I%am%in%charge%of%the%delivery%and%deployment%of%all%the% company's%anti?fraud%solutions. Email:!master@gov.it.eu.org Linkedin:!https://www.linkedin.com/pub/gianluigiPsisto/89/89b/a56 Skype:!revanxnx! % %