Tsukuba: Banking Trojan Phishing in Japanese Waters
Co-authored by Limor Kessem
Named after Japan’s science city, Tsukuba is a recent financial malware discovery made by IBM Security Trusteer researchers. It unearths the malicious activity of a new banking Trojan in the global cybercrime arena that is highly focused and exclusive to Japanese financial institutions.
Technically speaking, Tsukuba is no more sophisticated than run-of-the-mill proxy changers, which are typical attack tools used in Brazil and the surrounding region. Although it may not be very advanced in its technical capabilities, it makes up for it through its most recent social engineering technique, which is how it harvests victims’ online banking credentials, personally identifiable information (PII) and even clear images of official identification documents.
With the information Tsukuba can collect from infected endpoint owners, the gang operating this Trojan can monetize the data in numerous identity theft and online fraud scenarios to rob bank accounts, credit cards, online loans, e-wallets and more.
What makes Tsukuba all the more potent, however, is the fact that banking customers in Japan are less accustomed to seeing Trojan attacks in their region than those in English-speaking countries. The language barrier — one factor that has protected some companies from fraud — has also served to keep their general population more naïve to it and, therefore, less suspecting of Tsukuba’s unique methods.
Tsukuba’s Technical Core
Tsukuba’s malware capabilities reveal that it is a banking Trojan from the proxy changers family. Its main goal is to manipulate the browser on infected endpoints to redirect victims to malicious URLs set up by the botmaster and then interact with these victims thereon in order to extract credentials and PII from them.
Overall, Tsukuba’s every move is calculated and selective, from its very installation procedure to the victim IPs it will let through to its interactive Web-fakes.
To begin, the Trojan is dropped via spam email in a packed form, which is programmed to resist debugging and analysis. Upon running the Tsukuba executable, the packer itself uses the CreateProcess API by way of the suspended state flag (aka process hollowing). The suspended son process is unpacked and changes its entry point to camouflage the malicious installation. Because it is impossible for the malware to attach to a suspended process, it waits for the process to resume and then finalizes the installation, terminating before someone can attach a debugger or analyze it.
The next action Tsukuba takes is abusing a legitimate Windows process (“powershell.exe“) in order to disguise itself while communicating with its command-and-control (C&C) server and downloading other components and run commands if need be.
To evade research environments and proxy detection tools, Tsukuba looks for a list of running processes to avoid, and if one is indeed found, the malware will not complete the installation of all of its components:
But Tsukuba is not ready to proceed quite yet. Before completing its installation, the malware must determine that the potential victim is relevant to its masters by copying their browser cookies and scanning them for the URLs of its target entities (triggers). Only if the infected machines visit one of the listed banks will the malware continue its installation process.
Prepare for Secure Proxy Browsing
In yet another preparatory move, Tsukuba registers a fake root certificate in order to browse to malicious pages through its own rogue proxy. To do that without raising any red flags, it sets up a root certificate on the PC with the exact same name as the original; typically, that name is “VeriSign Class 3 Public Primary Certification Authority – G5.” This procedure leverages another legitimate Windows process, “certutil.exe,” which allows Tsukuba’s sessions to pass as trusted through the browser.
Proxy Change via PAC
Upon the receipt of this data, the malware uses it to add a PAC URL path to the browser’s configuration scheme. This new malicious PAC file sets the automatic choice the browser will make when fetching a URL for the user. Making a change to this default choice and replacing it with the attacker’s proxy encourages results in the browser’s favoring it, thereby directing the user’s requests to the attacker’s URL choices:
The rogue proxy is now in place. But not so fast — only victims browsing from Japanese IPs will be let though to the Trojan’s custom social engineering zones. All others will meet an unreachable browser message. At this time, Tsukuba can apply its malicious proxy changes to three popular browsers: Microsoft Internet Explorer, Google Chrome and Mozilla Firefox.
Enter Interactive Web-Fakes
Unlike Tsukuba’s basic proxy-changing capabilities, its social engineering face is much more sophisticated, using a technique that has become very popular among cybercriminals in the past year: interactive Web-fakes.
This method consists of sending the victim to fake bank pages. It is similar to phishing, but unlike simple, credential-slurping phishing, these attempts are highly customized and interactive. This means the pages victims reach are tailored to the bank they tried to browse to: The look and feel is dynamically pulled from the legitimate bank’s portal, and the fake pages actually interact with the victim via pop-ups. In Tsukuba’s case, after victims enter their credentials, the pop-ups proceed to ask them for personal details and to upload clear images of their official documentation and passport. Looking at similar malware of Tsukuba’s grade, this extensive social engineering component definitely goes far beyond the common.
Some examples from Tsukuba’s arsenal are a fake counter, likely designed to rush the victim to act, with detailed instructions on what to do next:
IBM Trusteer researchers have examined the pop-ups and translated them from Japanese. One of these fake screens reads as follows:
“Our internet banking system was recently upgraded in order to strengthen the security on your account. Registered clients will be required to provide personal identification documents in order to verify their identity. Please use the below registration form to upload the required documents. Please upload the following documents:
(1) Copy of passport (both pages). Your first and last name, date of birth, personal address, etc., must appear clearly on the copy.
(2) Copy of the personal identification card (both sides). The digits of the identification card must appear clearly on the copy.
Please note the following:
1. Please make sure all documents are easy-to-read and easy-to-understand. Please upload all files only in .pdf .doc .docx .jpg .bmp .png format. Please ensure the files size does not exceed 10MB.
2. Please save a copy of your scanned, camera or smartphone-captured document to your computer.
Please click “Continue” after you upload the documents. Once done, you can access your account.
*Please note that document upload may take a few minutes in some cases.”
The original image appears below:
As soon as victims upload files into the interactive fake page, they are redirected to a final fake showing a “Session Expired” page or to Google.com.
Nothing to See Here…
Following the first credential harvest from the infected account holder, Tsukuba’s botmasters make sure to keep their victims unwitting and revert back to the normal proxy settings. To do that, the malware queries its C&C server for a new PAC and this time receives a “clean” version that reverts the settings to normal browsing. This will deliver victims directly to their original bank page as soon as they attempt to access it, removing any suspicion they may have had after the social engineering session.
A Dangerous Mix
Examining Tsukuba indeed proves that it is a malicious (yet basic) proxy changer. Its security bypass techniques rely on abusing legitimate processes and registering a certificate, and its evasion from analysis tools and prying eyes is especially simplistic.
The more interesting part of the malware’s modus operandi is the use of an extensive social engineering scheme over interactive fake bank pages, predesigned for this purpose and highly customized per the target entity.
This threat is considered severe for the amount of information it collects. The theft of online banking credentials, along with the victim’s PII and images of official documents — in addition to the possibility of executing additional malware on his or her endpoint — is a loaded combination. Furthermore, the fact that the more substantial portion of the attack takes places on fake pages makes it harder for security tools to detect or stop it. IBM Security Trusteer Rapport™ can help protect banks and banking customers from the Tsukuba malware.