IBM X-Force researchers closely follow the activity and fraud methods of banking Trojans in the wild. In one of their recent findings, the team uncovered an interesting link between an underground webinjection vendor and three well-known cybercrime groups: the operators of the Ramnit, CoreBot and ZeusVM banking Trojans.
The Dark Web: Deeper and Darker
The dark Web and its underground cybercrime-themed discussion boards have long been a fraud enablement center where professional criminals could congregate to peddle their online fraud tools, wares and services.
A decade ago, cybercrime discussion boards were a bustling marketplace where both rookies and expert criminals would exchange information and buy and sell cybercrime-as-a-service (CaaS). Nowadays, after a few major law enforcement interventions and the capture of banking Trojan authors such as those who created SpyEye, Carberp, Gozi and Dridex, underground boardgoers are a lot more cautious.
Gone are the expert-level patrons who used to frequent the open and semi-open boards, for obvious reasons. Newcomers typically run into novice actors and midlevel administrators in search of information and accomplices.
But expert CaaS vendors are still part of the underground economy, and they provide other cybercriminals with verified commodities such as:
- Exploit kit services;
- Highly customized spam campaigns;
- Bulletproof hosting;
- Botnet and access rentals to infected endpoints; and
- Webinjection experts and resources.
Since these CaaS vendors understand the risk level involved with their profession, they carefully limit access to their services to a select few boards — only the most exclusive, such as communities that are closed off to newcomers and have extremely strict rules on the admissibility of new members.
Webinjection Expertise: A Top Cybercrime Commodity
Some of the most popular CaaS commodities in the exclusive parts of the Dark Web are the services of expert webinjection writers who supply their skills to banking Trojan operators.
Webinjections are code snippets that financial malware can force into otherwise legitimate Web pages by hooking the Internet browser. Once a browser has been compromised by the malware, attackers can use these injections to modify what infected users see on their bank’s pages or insert additional data input fields into legitimate login pages in order to steal information or mislead unsuspecting users.
To be considered both high-quality and effective, these webinjections have to seamlessly integrate with the malware’s injection mechanism, display social engineering that corresponds with the target bank’s authentication and transaction authorization schemes and have the perfect look and feel to fool even the keenest customer eye.
According to IBM X-Force researchers, when it comes to these tools, elite cybercrime gangs appear to buy from a limited number of experts who program and sell target-specific webinjections. Examining the content of Trojan configuration files may show that the same exact code is being used or fetched in real time from the same remote servers.
Judging by the common injections used by a few major gangs, cybercriminals may develop the malware in-house, but they outsource the webinjection portion to black-hat CaaS vendors who specialize in writing this type of fraud-facilitating code.
Other examples emerge from research on the inner workings of malware configurations, webinjections and fraud attack schemes. Research showed that Trojans such as Shifu, Neverquest and Dridex share some of the exact same injections or fetch the same ones from the same remote servers per the targeted bank.
While research points to the possibility that the top cybercrime gangs buy webinjections from the same shady developers, more definitive proof was uncovered in one of the most exclusive underground boards via a top-tier injections vendor.
From Card Details to Passport Numbers
IBM X-Force researchers noted that in a detailed forum post written in Russian, a cybercrime vendor was offering a rather elaborate set of quality webinjections to other members. The vendor operates a CaaS website through which he markets injections designed to target 53 bank brands in English-speaking countries: the U.S., the U.K., Australia and Canada.
IBM X-Force obtained some references from the CaaS vendor’s website and analyzed the injections offered for sale. The results revealed that those exact injections are currently in use by prolific banking Trojans, namely Ramnit, CoreBot and a privately owned ZeusVM iteration. All these Trojans are generally believed to be operated by closed cybercrime groups.
The injections are adapted to each bank’s look and feel and also require different details in each case.
In almost all cases, the injection requires the victim to divulge their payment card details, secret questions, personally identifiable information (PII) and ID document numbers. For example, in the case of injections tailored to American banks, the vendor typically required card details, date of birth, mother’s maiden name and Social Security numbers.
In the case of Australian banks, the vendor designed injections to require the details of identification documents on top of payment card information.
Injections for U.K. and Canadian banks required victims’ telephone banking passwords and payment card PIN codes.
While webinjections are used primarily to gather information for fraudulent wire transfers, attackers who buy these particular formats will also gather payment card data and other PII, which can be used for a variety of fraud scenarios, not just wire transfer fraud.
When it comes to organized cybercrime, banking malware is no longer the work of the sole developer who wrote the code or a partner he or she has teamed up with. Crime factions are increasingly organized in the same fashion as legitimate businesses. It is not so surprising to see cybercrime gangs need extra help to achieve their goals faster, outsourcing work to external experts who specialize in supplying their specific needs while keeping their business discreet.
Injection vendors are cybercriminals. In a publicized case, the individual who wrote webinjections for the Gozi Trojan was arrested and charged for his activity, Reuters reported. He admitted to knowing what he was doing was against the law.
Since different gangs use the same injections, it is safe to infer that injection authors cater to a number of groups and aim to make banking Trojan more effective. The authors continuously keep the injections current with the targeted banks’ or service providers’ website layouts and formatting, as well as the types of elements those entities require for the authorization of online transactions.
Outsmarting Dark Web Threats With Intelligence and Proactive Protection
After concluding that the vendor they discovered in a closed discussion board is the likely supplier of webinjections to at least three gangs, IBM X-Force researchers took action. They translated their findings into indicators of compromise (IOCs), which could then be integrated into antifraud IBM Security products.
Ongoing intelligence-based product enhancement is a proactive way to better protect customers against different types of malware reusing injections from the same vendor. Knowing that some cybercrime gangs use injections from the same provider can mean better malware protection. Once a security product is configured to look for a known webinjection, the malcode will be flagged even in new variants and other Trojan families.
Security professionals can further extend this knowledge to other platforms, like SIEM and intrusion prevention systems, by writing custom rules using information about injections shared on platforms like X-Force Exchange.