Banking Trojan Targets South Korean Banks; Uses Pinterest as C&C Channel

We recently found a new banking Trojan which targeted to several banks in South Korea. This isn’t the first time, though: in June last year, we saw that several online banking threats widened its range of targets and targeted Korean banks using various techniques.

Throughout the course of our monitoring similar threats, we noticed a new wave of banking Trojans targeting South Korean banks that show unusual behavior, including the use of Pinterest as their command and control (C&C) channel.

Infection Via Malicious Iframe Injection

This threat is currently affecting users in South Korea via compromised sites leading to exploit kits. In mid-November, we found an infection chain that involved multiple malicious websites in a single infection.

First, to deliver this threat to the user, legitimate sites are compromised and an iframe tag is injected. This tag redirects users to a second compromised site which hosts an exploit kit, which delivers the banking Trojan to the user. We detect this as TSPY_BANKER.YYSI.

Once this malware is present on an affected system, users who access certain banking websites using Internet Explorer are automatically redirected to a malicious site, which contains a phishing page that asks users to input their banking credentials. Users who access the website with other browsers are not affected. (Due to South Korean regulations, users in South Korea generally use Internet Explorer to access local banking sites.)

Figure 1. Comparison between legitimate banking site and fake banking site

Below is a list of targeted banking websites that are targeted for information theft:

hxxp://kbstar.com
hxxp://wooribank.com
hxxp://banking.nonghyup.com
hxxp://v3clinic.ahnlab.com
hxxp://hanabank.com
hxxp://mybank.ibk.co.kr
hxxp://www.ibk.co.kr
hxxp://banking.shinhan.com
hxxp://www.fcsc.kr

How is this redirection done? If the user visits one of the above sites, the malware will instead cause Internet Explorer to load an iframe that loads various phishing pages. The URL of this banking site will vary, depending on the URL of the original site.

The malware will also spoof the URL in the address bar to make the user believe they are at the legitimate banking site. Upon entering their personal information, they will then be redirected to the fake banking site. In addition to the listed banks, the website of a popular South Korean search engine is similarly modified to open a pop-up window with links to the monitored banks.

The command-and-control (C&C) routines of this malware are interesting. How does it know which fake site to redirect users to?

This is normally done by contacting a C&C server, but in this case the attackers didn’t do that. Instead, they used the social networking site Pinterest. Cybercriminals can customize redirect victims to different fake servers using comments on certain Pinterest pins:

Figure 2. Comments left on the Pinterest pin

We can see above how the comments above include the text 104A149B245C120D. This is decoded as 104.149.245.120; similarly 70A39B104C109D decodes to 70.39.104.109. The letters are replaced with a dot. This allows the attackers to quickly change their server locations in order to avoid being detected.

Code Reused From SweetOrange Exploit Kit?

We mentioned earlier that a compromised site was used to host the exploit code which plants malware onto the site’s visitors.

Vulnerabilities in Internet Explorer are used to deliver malware in these cases – specifically, CVE-2013-2551 and CVE-2014-0322. Both of these vulnerabilities have long been patched, the former in May 2013 and the latter in September 2014. Javascript obfuscation is heavily used to prevent code analysis. However, we were still able to find that the exploit is similar to that used by the SweetOrange exploit kit, which we discussed earlier this year.

In this month, however, they are now using the Gongda exploit kit to deliver malware. However, they are still targeting users redirected from Korean websites. The CVE-2014-6332 vulnerability in Windows was used in this attack, which was only patched in November.

Additionally, we observed that the deobfuscated exploit code contained comments written in Chinese that described how the vulnerability works.

Figure 3. Chinese comment in exploit code

The malware also communicates to various servers to the URL hxxp://{various IP addresses}:9000/tongji.html. (The word tongji is the Romanized form of the Chinese word for statistic.)

The cybercriminals also used a Chinese web analytics/tracking service named 51yes.com to generate statistics both for the compromised websites and the C&C servers.

The diagram below shows the entire attack scenario.