Breaking Up a Banking Botnet
May 31, 2017
Breaking Up a Banking Botnet 2
What is Pazera? X - - -
Pazera is a trojan targeting Windows users that is distributed under mailing campaigns and aims to steal banking users’ data. It’s specially focused in stealing Chilean and Ecuadorian banks clients information, and tries to trick the user into executing the payload under one of the typical excuses. The firsts samples are from December 20161. 1
http://unaaldia.hispasec.com/2017/01/pazera-un-troyano-para-entidades.html
Breaking Up a Banking Botnet 3
“
It’s specially focused in stealing Chilean and Ecuadorian banks clients information
” Infection chain - X - -
The infection chain has different stages until the final payload is run on the user's computer. To avoid antivirus detection, the payload is inside a password protected zip file to avoid being scanned. We firstly receive a spam e-mail from the attacker faking a known entity. It tries to trick the user into clicking the URL, using a receipt, debt or fine excuse. When the user clicks the URL, he will run into a ZIP file containing a Javascript file, which is essentially the dropper. It will contact a different server, download a password protected zip file and store it in the user computer. Once achieved, it will decrypt the zip file and execute it. Finally, information about the infected computer will be sent to a remote command and control server storing information such as the computer id, username, antivirus, windows version…
Breaking Up a Banking Botnet 4
Infection chain
Breaking Up a Banking Botnet 5
“
We firstly receive a spam e-mail from the attacker faking a known entity
”
Inside the JS script, we can see it references a 7-zip binary, which is used to do the extraction.
JS using 7za.exe to unpack the malware
There’s also some paths used generally by this malware, after deobsfuscating a bit they can be seen despite not having the original script:
JS deobsfuscated
Generally, the binary goes undetected for sometime before antivirus engines manage to pick it up at VirusTotal.
Breaking Up a Banking Botnet 6
VirusTotal detections
Backend - - X -
Looking for by the site we found a zip file with the content of the site, so it was possible to access to the main files of the trojan component in an easy manner. We also found several tools used by the attacker, such as: mailers ( for email scam campaigns), control panel crackers, several shells to gain privileges and manage root files of the server, uploaders, compress/uncompress utilities and some others tools commonly used by this kind of attackers. We finally got a dump of 58Mb of important data that was essential to understand the behaviour of this attacker. This information is necessary for us , in order to take measures to stop future similar cases. Victims were also monitored through a panel, and the information mentioned before about the computer fingerprinting can be seen in here. In the picture below some of the infected computers can be seen.
Breaking Up a Banking Botnet 7
C&C Panel screenshot
Actors & IOCs - - - x After neutralizing the command and control attacker’s setup, we have gathered information trying to find out who the attackers behind this botnet are. There are several email addresses found in the documents, some are just related to the authors of certain parts of the code, but others are related to the attackers. Also we include free subdomains used to send the stolen information to the attackers.
Breaking Up a Banking Botnet 8 Emails
Dynamic DNS
[email protected]
magstealnew.ddns.net
[email protected]
maglys.ddns.com.br
[email protected]
cx2new.ddns.net
[email protected]
[email protected]
Emails and C&C to collect information
Executable files related with the attach: Filename
SHA256
covovbiuyycytccc.exe 845d7b5858de92c190b8539b31ad623937f672b5e97eb724d2f1044b39ef299f djcjicasidilllllll.exe
ac3cd3ecaa8e5c8211ccf723429c09d959df1f2e361edab150c13ad0cfd244d4
dkjcjuisdccv.exe
e4a34dcdcc99727772c2f3379463b4a2c8b72406bf080b3e2c752fc94e6f7725
jabasteste.exe
aaf6766bc5c9198ce16ed089fc34e8f6e91c8dc8fe6f54fb839d1dfb09e02af0
jcisaiodiccc.exe
05235f6053fb0c8b12e42d06940dc70e4735fd4ff0eace397893e48f64e6757a
kckidiiduu.exe
fbdf09b1ad0d04d386ded15825eeabf5c15639c96cd2e1af33d1fca574b9f23c
kckiiqoododcpciosau uiyyuda.exe
b3b4b0155e7d747798afc1ce11e88feb39ba29af31d9a06d84b9c1eff3196011 Filenames and sha256 related
Fernando Díaz
[email protected] Antonio Sánchez
[email protected]