Banking malware goes back to basics, but is still effective

While the rise of advanced threats has seen more sophisticated techniques developed and used, in some cases less sophisticated methods and “back to basics” techniques are used.

Earlier this year, Trusteer’s CTO Amit Klein blogged about two malware families, Tinba and Tilon, saying that they were examples of malware going “back to basics”. Recently, Trusteer identified a new variant of Zeus which targeted an Eastern European bank by adding an HTML injection to the transaction page that changes the HTML form field names of the beneficiary account number, name, address and transaction data, while leaving the source account field names and transaction amount field name unchanged.

This variant of Zeus also injects account data of the “mule”, the person whom will act as unwilling or unknowing intermediary, into the field names instead of the altered fields. The victim fills in the transaction details (at the HTML level the field names for some data are incorrect), submits the form and the bank receives an HTTP request for the transaction, only the correct fields now specify the receiving mule account.

Trusteer claim that this demonstrates a “step back” for attackers as they are using a hardcoded HTML injection (with static mule account information) to perform fraudulent transactions which while simple and simplistic. It claimed that this offers two advantages over Javascript HTML injection: there are fewer “moving parts” (dynamic scripts) so it is harder for anti-virus and anti-malware software to detect; and this technique will work on browsers whose users have disabled Javascript for security reasons.

According to Trusteer, this method is “simple, crude but effective!” While it is not completely unsophisticated or without skill, it does move away from the advanced espionage trend to one of basic code injection.

Back in February, Klein said that Trojan developers are investing heavily in stealth capabilities, especially in effots to evade analysis and investigation by security experts. As banks deploy protection layer solutions to monitor online sessions between customers and web applications, these are capable of detecting anomalies during the session to indicate malware-initiated activity. However once in the application, that is where the danger is done.