Skip to content →

ONE SHOT EIGHT BANKS

ABSTRACT

Another compromised hostname “https://xxx.com” is acting like drop-zone for stolen data from eight different Italian banks. The analysis of this drop-zone reveal a custom web application focused for info stealing. They steal a credit card details from the infected users using a phishing attack.

C&C CENTER FUNCTION DETAILS

Behind the password protected front-end we reveal a custom-made web application specially designed to store the Credit Card numbers encrypted.

The first page shows a page built whit a JQuery plugin to create AJAX based CRUD tables, where, on the left side there is the list of all the targeted banks and on the right side we have a list of all stolen accounts sent by the malware to this drop-zone.

Schermata 2014-11-15 alle 09.23.35

 

All saved data are encrypted through a block cypher algorithm (AES). Selecting the row you can see all the encrypted data sent by the malware. Without the right decryption key is impossible to read them. Here a sample.

Schermata 2014-11-15 alle 09.23.51

During the static JavaScript code analysis we found the code to encrypt and decrypt “key” used by hackers. This two functions use two methods declared in the same file called “encipher” and “decipher” that realize the encryption/decryption operation.

Schermata 2014-11-15 alle 09.24.11

To understand what kind of data the hackers steal, we decoded all the client side code in the page. In one of this we found the key used to perform the encryption.

Here we can see how the hackers are using this code to decrypt data directly from the control panel.

As you can see, we marked in red a new hidden function to generate random encryption key and to decrypt the selected data. This functionality is available through a hidden keyboard keys combination (Ctrl+Alt+F) and has been discovered during the static code analysis of obfuscated JavaScript code. Here is a sample of the analyzed code:

One Shot Eight Bank

var key = “b2feba4ede38f4e8f71cf61e1672b37366b6b932ec699ed3a3b5d1e73849e11eda88728240e1d54d074a4c48e2f8baeb 8db47b1ede1”;

SEE THE FULL ARTICLE HERE —–> DOWNLOAD

Published in Research >>

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *