Warning: A new malware campaign targeted at Vietnamese banks

431

On August 22, 2018, CyRadar’s surveillance system discovered a new cyber-attack targeting one of Vietnam’s major banks. Shortly after, CyRadar repeatedly discovered that several other organizations had also been attacked in similar ways. At the time of the attack, most of the network security systems were defeated. No anti-virus software available could detect this malicious code and no firewall could hinder the connection to the host control of the malicious code.

Regarding the system being monitored by CyRadar, as soon as the malicious code was detected, it was quickly removed from the system. Almost no significant damage occurred. However, there is a high likelihood that many other financial institutions in Vietnam are suffering from such attacks without a timely tackle.

A strange connection was detected by the CyRadar Advanced Threat Detection system.

The attack begins with an email containing the attached pdf file, sent to some of the banks’ key figures. Due to completely new malware, anti-virus software on the bank’s computers cannot detect and remove it. When the user is tricked into opening the pdf file, the malicious code embedded in the file, immediately performs a series of actions to skillfully download 1 spyware to the victim’s computer. This spyware has the ability to steal data on that computer, also allowing hackers to remotely control the infected computer.

In addition, it can also eavesdrop audio calls on the computer, thereby attack the computers in the network. Below is a summary of the stages of malicious code since the victim opened the pdf file:

This spyware, according to expert analysis, is the new variant of the FlawedAmmyy RAT (Remote Access Tool). This is the very spyware that has been allegedly related to attacks on banks around the world for the last month. Behind it is a group of professional banking cyber criminals.

If you are a bank employee, take great care before opening a text file when you are not aware of its origin, especially in these days, when we are witnessing a massive offensive campaign targeting banks and financial institutions.

According to experts, banks in Vietnam need to raise vigilance and quickly review the network to detect suspicious connections and files. Indicators of compromise (IOCs) information can be found here:

IoC’s – System administrators need to quickly review any connections to this malicious domain/ IP, and look for files whose hashes are as follows:

  • PDF file: 17d3e70a13cb54adbe15ce05f2ec1640
  • PUB file: e535449010a9977ec919ba0dc6544f0c
  • Setup file: a471555caf8dbb9d30fac3014172515f
  • FlawedAmmyy RAT file: 73964f92d3e5e142047574afa78726e3
  • Domain Dispatch: g50e[.]com
  • Controller Server: 185[.]99[.]132[.]12

Technical analysis of spy banking software

1. PDF File

The PDF file sent to the victim contains the JavaScript code that is set to run when opening the file:

Function Aluka2() called for OpenAction.

By decoding stream, the JavaScript Aluka2() function will be clearer, embedded with 22082018.pub file content, in which:

Internal function Aluka2()
The content file embeded, can be both hex and text forms.

With the settings above, when the pdf file is opened, JavaScript code will execute opening the file 22082018.pub embedded. This action will actually be blocked by a pdf reader program, but most of the users will hastily click ‘OK’ to continue to open file.

Warning before the embedded file is opened.
Currently, there are 22/66 antivirus software available which can identify the malicious code.

2. Microsoft Publisher File

As above, if the user clicks “OK”, the Microsoft Office Publisher application will be launched to display the contents of the file 22082018.pub. This file has been prepared by the attacker with text that entices the user to click “Enable Macros”.

Microsoft Publisher runs up the file 22082018.pub.

3. VBA Script

When Marco is enabled, the VBA Script in the .pub file will run and load another file from the link, then execute it.

Content of the VBA Script.

In the VBA code above, the attacker does not directly pass parameters (url, filename, etc.) to the download functions and the execute functions, but cleverly hides them in the Tag and Caption of the form attached. This tip may be more or less confusing, making it difficult for anyone trying to view the contents of a Macro.

4. FlawedAmmyy RAT

The file is downloaded by Macro from the link http://g50e[.]com/security and saved under the name hum.exe in the form of an installation file, with a valid signature “DO NOT MISS A WORD LIMITED “

The installation file “hum.exe” is packaged with NSIS.

This file when running will release winksys.exe and register the service to automatically launch each time you turn it on.

Register service for winksys.exe 

Winksys.exe is actually part of the FlawedAmmyy RAT (Remote Access Tool) malicious code, which has been mentioned in many of the major attacks on banks around the world for the last month.

Information of FlawedAmmyy RAT

FlawedAmmyy RAT is the name of a spy malicious code, developed from the exposed open source of Ammyy Admin v3, Ammyy’s remote desktop software.

As mentioned in the article on the use of SettingContent-ms embedded in PDF to distribute malicious code, the same FlawedAmmyy RAT line at that time also took full advantage of the same way (SettingContent-ms) to spread.

Get back to the FlawedAmmyy RAT version we have, with its well-known spy features like:

  • Remote Desktop control;
  • File system manager;
  • Proxy support;
  • Audio Chat.

Malware also checks the presence of antivirus software before it executes:

Check the process name, if it exists, exit. 

The controller server for this attack is addressed 185[.]99[.]132[.]12.

Malicious code is connected to the control server.

This server involves malicious code attacks from May 2018 with all domains are sub-domains of usa.cc, including subdomains located near the company and banks such as Barclays , Jerez, Netflix …

Controller servers and related domains.

5. What experience can be gained?

Banks and financial institutions are always attractive targets of criminals. Having recognized this, banks have also paid much attention to security investments. And the major banks that we have mentioned at the beginning of the article, of course, was also initially equipped with many protection solutions in different layers.

So why this code still successfully invades into the system?

  • Malicious files are targeted for attack: All files here (pdf, pub, exe) are created on the attack date (August 22, 2018), for which most of AVs could not identify. The installation file even contains a digital signature.
  • Domain and the IP server is quite new: Domain g50e [.]com to download executable file and IP 185 [.] 99 [.] 132 [.] 12 for remote control, both of which are not in blacklist of many firms.
  • The attack is targeted at user perception rather than software vulnerabilities: At both ends of the invasion process (open PDFs and open the PUB file), users need to give allowance so that the new malware can execute, which leads to the actual result: malicious code has been executed. A system can be equipped with a uniform solution to block or early detect attacks aimed at a system vulnerability, but unfortunately, people can always break the regulations of the system.

Therefore:

  • Attention should be paid to raising awareness of network security through internal communication channels or training courses.
  • Traditional solutions are not enough to combat increasingly sophisticated attacks, which increases the needs for more advanced and intelligent solutions capable of detecting anomalies.
  • It is recommended that you take a proactive look at the malicious code, especially at this peak of cyber-attacks.
  • If you are an employee and is suspecting of being infected, you should immediately notify the cyber-security department.

IoC’s

  • PDF file: 17d3e70a13cb54adbe15ce05f2ec1640
  • PUB file: e535449010a9977ec919ba0dc6544f0c
  • Setup file: a471555caf8dbb9d30fac3014172515f
  • FlawedAmmyy RAT file: 73964f92d3e5e142047574afa78726e3
  • Domain: g50e[.]com
  • Controller Server: 185[.]99[.]132[.]12

CS & Manh Tung – CyRadar

Related posts: