Trend Micro analysts have come across a new variant of the BEBLOH family of information stealers that goes well beyond the traditional tactic of logging keystrokes and sending it to another server for exploitation. Instead, this particular variant steals user information, uses it right away, and cleverly disguises it from users.

This particular variant, detected as TSPY_BEBLOH.AE, immediately connects to a command and control (C&C) server when it is executed. It downloads an encrypted configuration file from the said server, as seen below:

Figure 1. Captured traffic between affected system/C&C server

The configuration file contains key information, most importantly the name of the bank being targeted. If the user logs into the secure banking website of the target bank, their user name and PIN are both captured by the malware.

Instead of sending the account information to cybercriminals via e-mail or a website, however, it uses this to steal money from the account. If prompted by the central C&C server (which it contacts periodically), it transfers money from the user’s bank account to an account specified in the configuration file (The amount is also based on several parameters included in the said file; the values of these parameters are chosen to minimize the possibility of detection). Very good technical details can be read here.

Lastly, it also disguises its malicious transactions from the user. When the user attempts to view static pages that contain information such as remaining account balance(s), balance sheets, and previous transactions, the malware rewrites these pages on the fly, disguising any previous thefts from the user. Victims would not know they had been robbed unless they attempted to access the online banking site from an uninfected machine, or used separate facilities such as ATMs.

The Trend Micro Smart Protection Network detects and removes this malicious threat.

Update as of 5 October 2009:

TSPY_BEBLOH.AE has been renamed and will now be detected as TSPY_BEBLOH.SMJ.

Update as of 6 October 2009:

The RSA FraudAction Research Lab has published an extensive analysis of this, and they’ve turned up more proof of this malware’s sophistication. According to their research, it checks first if the infected machine is “valid” by checking a unique ID code that is assigned by the central C&C server. If the machine is not valid, instead of showing the accounts under their control, it displays the bank accounts of other victims. This was done in order to make shutting down the “mules” these cybercriminals use as conduits for their money more difficult to track and shut down.