This post, the second of two parts, was written by Christiaan Beek, Raj Samani, and Shane Shook.
In our first post, we examined the evolution of the botnet. In this follow-up we will discuss a new botnet operating model that allows an attacker to get an insider’s view of infected organizations without actually being an insider—all while remaining undetected and manipulating data for financial gain.
Fiction or reality?
Many examples of attacks by botnet malware resulting in financial theft or accounts fraud have been published that trace the evolution of “personal” information stealers into “corporate” information stealers. In 2009 Patco Construction, in Sanford, Maine, was robbed of $588,000. In that same year, US law enforcement arrested individuals associated with the incursions via botnets into 390 companies in the United States, with estimated related losses at more than $70 million. Similar activities occurred in 2012 when Tennessee Electric Co. lost almost $328,000 after their bank account was taken over by cyber thieves.
Other examples abound, but the evolution of the use of botnets continues as more and more corporate services are facilitated online. In 2014 Salesforce.com users were targeted by malware configured to automatically steal login details, and even bypass two-factor authentication. Numerous examples of malware configurations to target corporate financial, securities, and other web services are available through cursory Internet searches. Dyre samples include more than 450 URLs intended to be automatically monitored for credentials theft, including corporate and personal web services. Some of the configured URLs include nonspecific wildcards to harvest credentials used for popular corporate financial and HR applications.
In May, the Australian Federal Police released a report concerning corporate securities trading fraud in which malware actors were targeting nontraditional financial platforms in Australia. Investigations into large sums of money fraudulently transferred from various Australian financial institutions using corporate accounts commenced in February 2014.
The investigations showed that two brokerage services were making unusual transactions. Forensic investigations revealed the presence of “financial” malware. The malware, in this instance, was defined as malicious software that has been designed to steal, alter, and compromise financial transactions and credentials.
Some results from the investigation:
- Logins occurring in excess of a month prior to the first fraudulent transaction.
- Logins occurring while the broker was listed as absent from work.
- Logins occurring between specific periods consistent with known Eastern European actors.
- Logins using specific user-agent strings consistent with known Eastern European actors.
- Numerous forged authorizations had been processed without question.
Market information stealer: These seek to help a subscriber gain insights into valuable sensitive and highly protected information. These malware are less focused on credential theft, although that is an important feature for subscribers to discern the financial performance of their victims. Instead the malware facilitates managed access to specific information stores or screens from which time-sensitive information can be surreptitiously observed or copied.
In the preceding picture, the botmaster has control over computers in two banks and a trading firm, representing capital markets analysts and a corporate controller. The botmaster is simply providing access to a subscriber (“Malicious Trader”), who can see sensitive information in each company, a kind of “Botnet-Flix.” With that access, the Malicious Trader can use the information to anticipate the financial market and start actions that will give him, or the organization he’s working for, a financial gain.
The crimes committed are not only the intrusion into the bank and trading firm computers, but also the exploitation of the proprietary and sensitive information for gain.
Although this seems an incredible situation, such facilities are provided by a long history of botnet malware that enable automated or manual access to infected computers.
Examples of malware features
The following table shows an overview of banking botnets as of March and the plug-ins and functions available to operators or subscribers:
Banking Botnets and Extra Features
|
|||||||
Feature | Man in the Browser | Redirect | VNC/Back Connect | Screenshots | Video Capture | Proxy | Certificate Stealer |
Zeus | Y | Y | Y | Y | Plug-in | Y | Y |
IceIX | Y | Y | Y | Y | Plug-in | Y | Y |
Citadel | Y | Y | Y | Y | Plug-in | Y | Y |
Gameover | Y | Y | Y | Y | N | Y | Y |
KINS | Y | Y | Y | Y | Plug-in | Y | Y |
Shylock | Y | N | Y | N | Y | Y | Y |
Geodo | Y | Y | Y | Y | N | N | Y |
Dridex | Y | Y | Y | Y | N | Y | Y |
Gozi | Y | N | Y | Y | N | Y | Y |
Dyre | Y | Y | Plug-in | Y | Y | Y | Y |
Ramnit | Y | Y | Y | Y | N | N | N |
Tinba | Y | Y | Y | Y | N | Y | N |
Hesperbot | Y | Y | Plug-in | Plug-in | Plug-in | Plug-in | Plug-in |
Source: http://www.secureworks.com/assets/pdf-store/other/banking-botnets-persist-2015.pdf
The Zeus malware’s video capture plug-in can detect if a remote desktop session is being launched and start recording that session. Examples of malware and their features can be viewed on YouTube:
- See 5:38 for VNC and recording.
https://www.youtube.com/watch?v=FBaW6M1Edtk
- Zeus 2015. Full panel configuration on services.
https://www.youtube.com/watch?v=UcHnrvS2-S8
Fraud is a crime conducted by individuals. Malware is a tool that can be useful to those individuals. Botnets connect interested individuals with tools they can use, and ready access to victims on whom the fraud can be committed.
A recent example concerning market information theft that began in 2010 and continued for five years involved hackers and traders who stole sensitive information that allowed trading resulting in an estimated $100 million in profits. The access to the stolen information was facilitated by botnets, and hackers disseminated instructions and tutorials, created by rogue traders, along with stolen information. A Ukrainian trading company, Jaspen Capital Partners, was identified by the SEC as a beneficiary of the stolen information used to trade on the nonpublic information.
In a settlement press announcement, the SEC stated that the company:
“…made approximately $25 million buying and selling contracts-for-differences (CFDs) on the basis of hacked press releases stolen from two newswire services between 2010 and 2014 and made additional profits trading on press releases stolen from a third newswire service in 2015. CFDs are derivatives that allow traders to place highly leveraged bets on the direction of a stock’s price movement. Without admitting or denying the SEC’s allegations, Jaspen and Supranonok agreed to be enjoined from violating the antifraud provisions of U.S. securities laws and related SEC antifraud rules and to return $30 million of allegedly ill-gotten gains.”
Whether the intended fraud is personal or corporate financial theft, or market manipulation by trading on information that no one else has the opportunity to know, the crime is based on the motive, means, and opportunity.
What’s next?
We write this article to boost awareness, not as a scare tactic. Our analysis of these and similar events are based on our customers submitting malware samples that connect to botnets known for selling their services to subscribers.
Infections by malware of this sort need to be further investigated, focusing on which endpoint was infected and the user’s role and rights, as well as if somebody watched over the victim’s back and what insider data could have been used.
Prevention
- Keep your endpoint detection up to date.
- In addition to promptly patching operating systems, keep all third-party software up to date, especially Adobe Flash.
- Learn the capabilities of these malware families.
Contributors
We would like to thank the many people involved in this research, including members of the Malware Operations team, the Malware Sample Database team, the Foundstone Incident Response team, and our special coauthor of this research, Dr. Shane Shook.
Dr. Shook is well-known to Fortune 100 global companies for providing experienced leadership in incident analysis and response. He has led small and large teams of forensic investigators and computer and telecommunications systems analysts in many of the most notorious information security breach events of the past two decades. Shook’s experience in financial services and other industries, including standards development, helps Intel Security clients understand technology risks in the context of their businesses.
The post A Dummies Guide to ‘Insider Trading’ via Botnet, Part 2 appeared first on McAfee.