Hesperus (Evening Star) Shines as Latest ‘Banker’ Trojan

Hesperus, or Hesperbot, is a newly discovered banker malware that steals user information, mainly online banking credentials. In function it is similar to other “bankers” in the wild, especially Zbot. Hesperus means evening star in Greek. It is very active in Turkey and the Czech Republic and is slowly spreading across the globe.

This sophisticated malware uses of different modules for specific purposes, injects HTML scripts into bank-related websites, stores all modules and data in encrypted form, encrypts its configuration file, uses the Twofish encryption algorithm with an HMAC-SHA512 hash key, employs WinScard.dll to read smart cards, and communicates with its control server over SSL. It also uses the current standard technique of injecting its entire code into attrib.exe and then into explorer.exe. Thus its communications appear to be from the legitimate file explorer.exe.

I analyzed a recent binary, compiled on September 2, and found that its control server is very active. The main binary is custom packed. After unpacking, it contains a string suggesting dropper_x86.bin is its original name:

  • MD5: 72AD2AF02C98068DE5FD9F9AE2C5B750. Compiled Date: Monday, Sep. 2, 2013, 11:18:20

Dropper_x86.bin contains two binaries specific to the operating system:

  • Core_x86.bin for 32-bit OS. MD5: 524C3F6F5D6968557AB000B920D42D9E. Compiled Date: Monday, Sep. 2, 2013, 10:46:05
  • Core_x64.bin for 64-bit OS. MD5: 5D7E115CD6269FDDFB75AE76E5D5221A. Compiled Date: Monday, Sep. 2, 2013, 10:46:16  – 64 Bit EXE

These binary files have one export function, “_hesperus_core_entry,” hence the bot name.

Following strings suggest possible geographic locations for infections:

botnet

The main binary unpacking code:

decryption

This code starts attrib.exe in a suspended state and injects its code. It drops a few files into the %APPDATA% directory as .dat and .bkp files.

User information such as computer name/username, encryption key, main binary file, downloaded malicious modules, and configuration file are stored in a different .dat.

The .bkp files are backup files for .dat files.

dir

Data in  .dat and .bkp files is encrypted using the Twofish encryption algorithm with an HMAC-SHA512 hash key.

hmac

After injecting code into explorer.exe, the malware connects to its control server using HTTPS to evade general antimalware detection. Its communications appear to come from the legitimate explorer.exe system file. Moreover, the domain names of the control servers appear to be legitimate domain WHOIS service requests. Using valid SSL traffic makes the malware even harder to detect.

Using SSL, the Trojan downloads other malicious modules from its control server. These are used to hide virtual network computing, and for keylogging, screen recorder, smart card reader, socket secure protocol proxy, etc.

These modules are:

  • hvnc_mod_x86.mod
  • keylog_mod_x86.mod
  • sch_mod_x86.mod
  • socks_mod_x86.mod

The malware communicates with other legitimate websites such as facebook.com, google.com, wikipedia.org, etc.

network

The associated control server domains:

  • Whoischeck.biz
  • reliable-dns.co.uk
  • 91.213.233.197

Another variant downloads other malware from a different URL and collects and sends user email addresses to ptcliente.org/gr-mail/tr-mail.php.

MD5: A79D1E01A05C262DC0A8DA5C577CAF89. Compiled Date: Thursday, Aug. 29, 2013, 9:01:08

tr

Another variant (MD5: 4107E4C91B197C483C320DA13EF27F95. Compiled Date: Monday, Sep. 2, 2013, 11:12:21) sends infection information using POST to identity-check.org/nlog/nlog.php.