Malware switches users Bank Account Number with that of the attacker (October 25, 2013)

The Dell SonicWALL Threats Research Team received reports of a Visual Basic based Malware that uses a simple but relatively new trick to steal the victims money by misusing the traditional copy-paste mechanism. Whenever a bank account number is copied by the victim onto the clipboard (ctrl + c) it replaces the copied account number with a hard-coded account number belonging to the attacker. So when the victim pastes (ctrl + v) the content, it would be the attackers account number. It is possible that some people might easily overlook the account switch and end up transferring money to the attacker.

Infection Cycle

The malware spreads as part of a spam campaign wherein the following files are dropped onto the victims machine when the malicious mail attachment is opened:

• taskmgr.exe [Detected as GAV: VBTroj.TAS (Trojan)]
• explore.exe [Detected as GAV: VBTroj.EXP (Trojan)]
• svchost.exe [Detected as GAV: VBTroj.SV (Trojan)]
• acs.exe [Detected as GAV: VBTroj.ACS (Trojan)]

We observed different tasks performed by each of the dropped files, some of them are highlighted below:

• taskmgr.exe gets a text file from adfc4s2ky.biz.ly/score970.txt which appears to be dead at the time of writing.

  It increments a counter maintained by the attacker to provide statistics about the number of infections. At the time of writing this blog the count is at 3811. It uses the following URL to achieve this:
  simplehitcounter.com/hit.php?uid=1555750&f=16777215&b=0

  It then registers itself to the attacker by sending a mail through SMTP, this mode of notification is not common.

  

• explore.exe performs the trick of replacing the 26 digit account number copied by the victim to a hard-coded account number stored in the Malware. The following figure shows the dummy account number in the first image that was copied before the malware was executed. Upon execution, the malware changes the contents of the clipboard to the account number stored in the code. It should be noted that only 26 digits that are pertaining to the account number are changed.

  
  We observed names of a number of banks in the executable whose users may possibly be targeted by this Malware:

  • Multibank
  • Getin Bank
  • Eurobank
  • Ing Bank
  • Mbank
  • Pekao24

• acs.exe tries to download a resource named file1.pdf from adfc4s2ky.biz.ly but it has been moved/removed from that location.

Overall this threat aims at misusing one of the most used feature in modern computing to carry out malicious activity. As the case with most banking malwares it targets the victims sensitive banking information, Bank Account number in this case, to get monetary benefit.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: VBTroj.TAS (Trojan)
• GAV: VBTroj.EXP (Trojan)
• GAV: VBTroj.SV (Trojan)
• GAV: VBTroj.ACS (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.