Next-generation Trojan plunders East European bank accounts
Russian and Ukrainian banks have been lately trying to stop the onslaught of BlackEnergy 2, a Trojan that manages to bypass the Java application that the customers use to authenticate themselves when accessing their accounts, steals the credentials, and then proceeds to bombard the same application with data until it crashes – diverting the bank’s attention from the heist in progress.
According to Joe Stewart, a researcher with Secure Works, the people behind these attacks are Eastern European criminal gangs. The attacks started in late 2009, and they are still being carried out. The exclusive targets are banks (and customers) from Russia and Ukraine.
The Register reports that Stewart analyzed the Trojan and has presented his findings at the Forum of Incident Response and Security Team (FIRST) being held this week in Miami. He claims that the Trojan has been modeled upon BlackEnergy, the DDoS Trojan (mis)used in the Russian/Georgian conflict in 2008.
The original BlackEnergy had DDoS capabilities, but this recent one was “upgraded” with modern rootkit/process-injection techniques, strong encryption and a modular architecture, making it possible for capable programmers to write plug-ins for it and additionally enhancing its capabilities.
Steward disclosed that the banking plugins of the Trojan are not in wide circulation, and are probably not part of the default install. “Theft of the user’s credentials is accomplished by stealing the user’s private encryption key as it is read by the applet, and stealing the user’s passphrase as it is typed/pasted into the dialog. The stolen data, along with a list of URLs that were accessed at the same time (so that the thief knows which bank the credentials are for) is sent back to the BE2 controller at the moment the login request is sent to the banking application server,” says in the report.
Having pilfered the credentials, the Trojan proceeds to destroy the filesystem of the infected computer and attempts to make all fixed drives unreadable or unbootable, then shuts down the computer. This modus operandi is likely designed to prevent the owners of the accounts to log in and discover what’s happening and alerting the bank.