Another compromised hostname “https://xxx.com” is acting like drop-zone for stolen data from eight different Italian banks. The analysis of this drop-zone reveal a custom web application focused for info stealing. They steal a credit card details from the infected users using a phishing attack.
C&C CENTER FUNCTION DETAILS
Behind the password protected front-end we reveal a custom-made web application specially designed to store the Credit Card numbers encrypted.
The first page shows a page built whit a JQuery plugin to create AJAX based CRUD tables, where, on the left side there is the list of all the targeted banks and on the right side we have a list of all stolen accounts sent by the malware to this drop-zone.
All saved data are encrypted through a block cypher algorithm (AES). Selecting the row you can see all the encrypted data sent by the malware. Without the right decryption key is impossible to read them. Here a sample.
To understand what kind of data the hackers steal, we decoded all the client side code in the page. In one of this we found the key used to perform the encryption.
Here we can see how the hackers are using this code to decrypt data directly from the control panel.
One Shot Eight Bank
var key = “b2feba4ede38f4e8f71cf61e1672b37366b6b932ec699ed3a3b5d1e73849e11eda88728240e1d54d074a4c48e2f8baeb 8db47b1ede1”;
SEE THE FULL ARTICLE HERE —–> DOWNLOAD