According to the Verizon 2015 Data Breach Investigations Report, five malware events occur every second, and financial services firms experience an average of 350 malware events every week. Gone are the days of blasting into bank vaults to steal paper money. It is much safer for thieves to steal money electronically, and significantly more lucrative considering that in 2013 about $4.6 trillion in purchases were made with credit and debit cards. This has led to the high incidence of financial malware strains which allow attackers to monetize their attacks by gaining access to users’ online banking portals.

In a startling example, Skyhigh recently detected a zero-day malware strain that is a variant of the PWS-Zbot using multi-stage malware detection and analysis which is capable of identifying new malware that the cloud provider’s signature-based malware detection missed. PWS-Zbot is a threat that exploits multiple vulnerabilities in a user’s system to capture and exfiltrate financial account information. It can enter the user’s system in multiple ways. One common way is to exploit vulnerabilities in browsers to modify web transactions, a technique called ‘Man-in-the-Browser’. This technique allows the malware to operate without being detected by users or web hosts, even if they use security controls such as encryption or multi-factor authentication. Another mode of entry is to use web attack toolkits or social engineering tactics such as sending malware embedded in attachments of phishing emails. The malware can also utilize the autorun capabilities of removeable media such as USB memory sticks.

Once it has infected the user’s machine, it records sensitive user information and interacts with its command and control server to exfiltrate this information and to receive instructions. It works in multiple ways to monitor user activity and steal information. It can inject code into critical system processes such as Winlogon.exe, svchost.exe or explorer.exe to take control of system processes. It can log key strokes, take screenshots, and record user web activity. It can also hook into certain API calls to intercept information coming in and out of the network. It then posts all the user information to a remote site. The malware is constantly communicating with the C&C server to receive instructions and also to update itself to evade detection.

Financial malware, such as Zbot, usually have 2 stages of execution. Stage 1 is infection, where the financial malware enters the users’ system. Stage 2 is exfiltration, where it steals user information to provide attackers access to online banking sites. The malware is sophisticated enough to modify the transaction numbers, so even if the users see the transactions, they are not likely to get suspicious. Once the attackers login to the user’s bank account, they receive the money by moving it using ‘mules’ to cover their tracks.

PWS-Zbot Execution

When the malware is executed in the user’s system, it drops itself into the following locations –

  • %SysDir% folder as sdra64.exe
  • %SysDir% folder as [random hex number].exe
  • %SysDir%\lowsec\local.ds – config file
  • %SysDir%\lowsec\user.ds – log file
  • %AppData%\[Random generated folder name]\[Randomly generated binary filename]
  • %AppData%\[Random generated folder name]\[Randomly generated data filename]
  • %AppData%\[[random hex number]. exe

It also creates an autostart registry entry as a restart mechanism:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run o {RandomUID} = %AppData%\[Random Named Folder]\[Random FileName]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ o “Userinit” = “%System%\userinit.exe, %System%\sdra64.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run o { random hex number } = %AppData[random hex number] .exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run o adobe = %AppData[random hex number] .exe

The malware then creates the following non-malicious file:

  • %User Profile%\Application Data\Microsoft\Address Book\{user name}.wab

And adds the following registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name
    (Default) = “%User Profile%\Application Data\Microsoft\Address Book\{user name}.wab”

This registry entry allows the malware to disable firewall notifications.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
    {port}:TCP = “{port}:TCP:Enabled:TCP {port}”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
    {port}:UDP = “{port}:UDP:Enabled:UDP {port}”

This registry entry ensures that the malware creates a firewall rule to bypass the usual authentication process.

  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\Active Directory GC
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\WAB
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\WAB\WAB4
  • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\WAB\WAB4\Wab File Name

These registry key values are added to the system

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000

Recent variants of this family have been observed to create two sub folders, an executable file and a data file with a random name inside the %APPDATA% folder. Then the malware executes, modifying its own code in memory and then transferring control to the modified code. This modified code collects some system information like computer name, running operating system, installation date, and DigitalProductId. It also creates a copy of itself, changes the file parameters, and executes it. After the copied file is executed, it deletes the parent process and the file.

The new file is responsible for carrying out multiple malicious processes:

  • Injecting code into remote processes whose name matches any of the following – dwm.exe, taskhost.exe, taskeng.exe, wscntfy.exe, ctfmon.exe, rdpclip.exe, explorer.exe
  • Exfiltrating certificate and private key details, encrypting, and saving them in a data file
  • Lowering the Internet Explorer security settings by adding and modifying the following registry entries:
    • HKCU\Software\Microsoft\Internet Explorer\Privacy§  CleanCookies = 0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\01609 = 0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\11406 = 0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    • 1609 = 0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\21609 = 0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\31406 = 0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\31609 = 0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\41406 = 0x00000000
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\41609 = 0x00000000

HTML injection on SSL-secured backing transactions

By injecting HTML code, the Zbot malware tricks users into providing sensitive information that would otherwise not be requested by those sites. The code modifies the target website to ask additional information, such as answers to security questions and ATM pins. The Zbot malware targets multiple banking websites. Below are some examples:

  • https://online.wellsfargo.com/signon*
  • https://www.paypal.com/*/webscr?cmd=_account
  • https://www.paypal.com/*/webscr?cmd=_login-done*
  • https://www#.usbank.com/internetBanking/LoginRouter
  • https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
  • https://www#.citizensbankonline.com/*/index-wait.jsp
  • https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
  • https://www.suntrust.com/portal/server.pt*parentname=Login*
  • https://www.53.com/servlet/efsonline/index.html*
  • https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
  • https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
  • https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
  • https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
  • https://resources.chase.com/MyAccounts.aspx

As enterprises adopt more cloud services, they are increasingly leveraging Cloud Access Security Brokers (CASBs) to detect and remediate malware. To discover new zero-day threats that are missed by the signature-based malware protection solutions used by cloud providers, Skyhigh leverages multi-stage threat detection powered by machine learning and behavioral analysis, reputation and feed analysis, and static and payload analysis and provides security teams with actionable, contextual intelligence that empowers them to respond to attacks faster and more effectively.