September 24, 2013 By Etay Maor 3 min read

IBM’s Amit Klein blogged in 2013 about two malware families called Tinba and Tilon and how they were going back to basics. He said we are witnessing an interesting trend: Organizations are rolling out advanced malware detection systems that force malware authors to drop some of their more advanced techniques and reuse older techniques that were abandoned years ago. The latest example of this trend is a Zeus variant that was detected by the IBM Security Trusteer research team this month. Using a unique HTML injection mechanism and static mule accounts, this malware is now targeting banks in Eastern Europe by covertly manipulating and performing transactions on the end user’s behalf.

In the last couple of years, many organizations took note of the malware threat and deployed advanced malware detection systems. These new security solutions were familiar with all the latest tricks that malware authors had to offer and contained effective countermeasures. But malware authors (and their criminal clients) did not sit idly by while their attacks were detected and eliminated; they fought back. Here are just three examples of such cases, examining the original criminal threat, the banks’ countermeasure and the criminals’ response to the countermeasure.

Case One

Cyber criminals use stolen user credentials to commit fraud from their own devices. Security solutions then start using device ID and device reputation techniques to identify criminal devices and logins not originating from the known end user’s device. In response, cyber criminals then use Remote Desktop Protocol (RDP) to connect to the victim’s device and commit the fraudulent activity from that trusted device. Device ID solutions see this as the legitimate client’s device and therefore do not generate an alert.

Case Two

Cyber criminals use automatic scripts that create a fraudulent transaction right after an infected user logs in to the account. Security solutions then start performing velocity tests to all transaction pages. If a transaction form is filled out in less than a second, it’s obviously not a human, and the transaction is challenged or declined. In response, cyber criminals create automatic scripts with a “slow-fill” function that fills out the transaction form in a humanlike way (characters are entered by the script with intervals of 0.1-2 seconds). Velocity tests view the automated script as human and do not generate an alert.

Case Three

Cyber criminals use HTML injections to display additional fields to victims, who fill them out and provide the attackers with more data. Security solutions then compare page input fields to determine if the user is submitting data the bank did not ask for. In response, cyber criminals use malware to inject full pages to the victim rather than alter the original bank page. Effectively, the user is unknowingly filling out a malware-generated page and not communicating with the bank’s website. The bank then only sees the fields expected and does not generate an alert.

The Zeus Variant

The IBM Security Trusteer research team recently identified a Zeus variant that uses a rather curious method to overcome malware detection solutions. This particular variant targets an Eastern European bank, whose transaction form contains typical data fields such as the paying account, transaction amount, beneficiary account, beneficiary name, beneficiary address and a transaction title. An HTML injection is applied to the transaction page that changes the HTML form field names of the beneficiary account number, name, address and transaction data (while leaving the source account field names and transaction amount field names unchanged). This Zeus variant also injects mule account data with the correct field names instead of the altered fields. The victim fills in the transaction details (at the HTML level, the field names for some data are incorrect), submits the form and the bank receives a HTTP request for the transaction only with the correct fields that now specify a receiving mule account.

To recap, the malware uses a hard-coded HTML injection (with static mule account information) to perform fraudulent transactions. This technique, though simple and generally uninvolved, offers two advantages over JavaScript (JS) HTML injection: Fewer “moving parts” (dynamic scripts) means tougher detection for antivirus and anti-malware solutions, and it works on browsers whose users disabled JS for security reasons. Simple and crude — but effective.

Just as users, organizations and security solutions study and adapt to new threats, malware authors remain stealthy by learning new security tactics. IBM Security Trusteer Rapport can detect, mitigate and remove this and other Zeus variants from infected devices. In addition, IBM Security Trusteer Pinpoint Malware Detection can effectively identify and warn organizations of malware-infected devices that attempt to log in and conduct transactions with their website.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today