IBM X-Force researchers closely follow the activity and fraud methods of banking Trojans in the wild. In one of their recent findings, the team uncovered an interesting link between an underground webinjection vendor and three well-known cybercrime groups: the operators of the Ramnit, CoreBot and ZeusVM banking Trojans.

The Dark Web: Deeper and Darker

The dark Web and its underground cybercrime-themed discussion boards have long been a fraud enablement center where professional criminals could congregate to peddle their online fraud tools, wares and services.

A decade ago, cybercrime discussion boards were a bustling marketplace where both rookies and expert criminals would exchange information and buy and sell cybercrime-as-a-service (CaaS). Nowadays, after a few major law enforcement interventions and the capture of banking Trojan authors such as those who created SpyEye, Carberp, Gozi and Dridex, underground boardgoers are a lot more cautious.

Gone are the expert-level patrons who used to frequent the open and semi-open boards, for obvious reasons. Newcomers typically run into novice actors and midlevel administrators in search of information and accomplices.

But expert CaaS vendors are still part of the underground economy, and they provide other cybercriminals with verified commodities such as:

  • Exploit kit services;
  • Highly customized spam campaigns;
  • Bulletproof hosting;
  • Botnet and access rentals to infected endpoints; and
  • Webinjection experts and resources.

Since these CaaS vendors understand the risk level involved with their profession, they carefully limit access to their services to a select few boards — only the most exclusive, such as communities that are closed off to newcomers and have extremely strict rules on the admissibility of new members.

Webinjection Expertise: A Top Cybercrime Commodity

Some of the most popular CaaS commodities in the exclusive parts of the Dark Web are the services of expert webinjection writers who supply their skills to banking Trojan operators.

Webinjections are code snippets that financial malware can force into otherwise legitimate Web pages by hooking the Internet browser. Once a browser has been compromised by the malware, attackers can use these injections to modify what infected users see on their bank’s pages or insert additional data input fields into legitimate login pages in order to steal information or mislead unsuspecting users.

Whether made up of HTML code or JavaScript, webinjections are probably the most powerful social engineering tool available to cybercriminals who operate banking Trojan botnets.

To be considered both high-quality and effective, these webinjections have to seamlessly integrate with the malware’s injection mechanism, display social engineering that corresponds with the target bank’s authentication and transaction authorization schemes and have the perfect look and feel to fool even the keenest customer eye.

According to IBM X-Force researchers, when it comes to these tools, elite cybercrime gangs appear to buy from a limited number of experts who program and sell target-specific webinjections. Examining the content of Trojan configuration files may show that the same exact code is being used or fetched in real time from the same remote servers.

Judging by the common injections used by a few major gangs, cybercriminals may develop the malware in-house, but they outsource the webinjection portion to black-hat CaaS vendors who specialize in writing this type of fraud-facilitating code.

Other examples emerge from research on the inner workings of malware configurations, webinjections and fraud attack schemes. Research showed that Trojans such as Shifu, Neverquest and Dridex share some of the exact same injections or fetch the same ones from the same remote servers per the targeted bank.

While research points to the possibility that the top cybercrime gangs buy webinjections from the same shady developers, more definitive proof was uncovered in one of the most exclusive underground boards via a top-tier injections vendor.

From Card Details to Passport Numbers

IBM X-Force researchers noted that in a detailed forum post written in Russian, a cybercrime vendor was offering a rather elaborate set of quality webinjections to other members. The vendor operates a CaaS website through which he markets injections designed to target 53 bank brands in English-speaking countries: the U.S., the U.K., Australia and Canada.

IBM X-Force obtained some references from the CaaS vendor’s website and analyzed the injections offered for sale. The results revealed that those exact injections are currently in use by prolific banking Trojans, namely Ramnit, CoreBot and a privately owned ZeusVM iteration. All these Trojans are generally believed to be operated by closed cybercrime groups.

The injections are adapted to each bank’s look and feel and also require different details in each case.

In almost all cases, the injection requires the victim to divulge their payment card details, secret questions, personally identifiable information (PII) and ID document numbers. For example, in the case of injections tailored to American banks, the vendor typically required card details, date of birth, mother’s maiden name and Social Security numbers.

In the case of Australian banks, the vendor designed injections to require the details of identification documents on top of payment card information.

Injections for U.K. and Canadian banks required victims’ telephone banking passwords and payment card PIN codes.

While webinjections are used primarily to gather information for fraudulent wire transfers, attackers who buy these particular formats will also gather payment card data and other PII, which can be used for a variety of fraud scenarios, not just wire transfer fraud.

Cybercrime’s Linchpins

When it comes to organized cybercrime, banking malware is no longer the work of the sole developer who wrote the code or a partner he or she has teamed up with. Crime factions are increasingly organized in the same fashion as legitimate businesses. It is not so surprising to see cybercrime gangs need extra help to achieve their goals faster, outsourcing work to external experts who specialize in supplying their specific needs while keeping their business discreet.

Injection vendors are cybercriminals. In a publicized case, the individual who wrote webinjections for the Gozi Trojan was arrested and charged for his activity, Reuters reported. He admitted to knowing what he was doing was against the law.

Since different gangs use the same injections, it is safe to infer that injection authors cater to a number of groups and aim to make banking Trojan more effective. The authors continuously keep the injections current with the targeted banks’ or service providers’ website layouts and formatting, as well as the types of elements those entities require for the authorization of online transactions.

Outsmarting Dark Web Threats With Intelligence and Proactive Protection

After concluding that the vendor they discovered in a closed discussion board is the likely supplier of webinjections to at least three gangs, IBM X-Force researchers took action. They translated their findings into indicators of compromise (IOCs), which could then be integrated into antifraud IBM Security products.

Ongoing intelligence-based product enhancement is a proactive way to better protect customers against different types of malware reusing injections from the same vendor. Knowing that some cybercrime gangs use injections from the same provider can mean better malware protection. Once a security product is configured to look for a known webinjection, the malcode will be flagged even in new variants and other Trojan families.

Security professionals can further extend this knowledge to other platforms, like SIEM and intrusion prevention systems, by writing custom rules using information about injections shared on platforms like X-Force Exchange.

Read the white paper to Learn more about Staying ahead of advanced threats

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…