A lot of the developments that occurred in the computing world in the past years involved the automation of day-to-day tasks. These developments have made peoples’ lives so much easier, causing the development of a dependency on them. Paralleled by innovations, however, is abuse, as cybercriminals continually employ them in malicious schemes with a single goal in mind—to gain profit.
This very reason—profit—has proven to be a sufficient motivation for blackhat hackers to constantly innovate in terms of attacking security technology. They research, explore, and develop malicious programs that we now call “malware.” Although these malware are continuously developed, whether to become more resilient to antivirus solutions or to become more effective in terms of their intended payload, the threat trends paint a consistent picture—malware automate hacking.
Manual Hacking in the Early Days
In the early days of hacking, everything had to be manually done. Hackers needed to manually check computers for weaknesses or for open ports to in order to hack targeted machines. Once in, hackers manually executed their intended actions, depending on their intention.
Today, various tools like vulnerability and port scanners are widely available on the Internet. Backdoor applications can remotely manipulate compromised systems and worms automated the proliferation of malware through self replication. Even generating malicious files can be automated with the help of malicious toolkits.
Information and Financial Theft
Given the malware advancements today, one can assume that pretty soon, cybercriminals will just spread malware on the Internet, watch TV, and wait for stolen money to be deposited into their bank accounts (if this is not already happening). This is something that we interestingly saw materialize in the form of TSPY_BANKER.PHT.
TSPY_BANKER.PHT is a banking Trojan that specifically targets users associated with the Brazilian bank, Banco do Brasil. Upon stealing user account information, this malware attempts to automatically transfer money to a predetermined account. This is similar to a ZeuS and SpyEye feature known as auto-transfer system (ATS). Here is a screenshot of a dump of TSPY_BANKER.PHT’s code:
Highlighted in the screenshot are the hard-coded malicious account names and numbers (blurred) and the amounts of money (in Brazilian Reals) that it will attempt to transfer. It also uses electronic funds transfer (ETF) to accomplish this. TED is a money transfer system wherein the money is made available to the recipient within a few minutes. This money transfer is only for transactions that involve huge amounts of money, specifically amounting to more than R$3,000.00. According to Trend Micro senior threat researcher Ranieri Romera, “Cybercriminals may have targeted TED because of the amount of money involved. Users who use TED can no longer cancel a transaction once it’s confirmed as well. Note, however, that most of the people in Brazil do not have keep as much money in their accounts, making the malware slightly inefficient though it can incur a lot of damage to those who do.”
This threat is definitely worth keeping an eye on, as it does not only cause information theft on the affected users’ part but can also lead to immediate financial loss. ATS first needs to communicate with a C&C server before it can transfer money while TSPY_BANKER.PHT automatically does this.
As more and more malicious activities are automated with the use of malware, it looks like there will be more future challenges for the security industry. What we may know as highly targeted attacks today may one day be just malicious codes operating independently for their malicious creators.
Thanks to Trend Micro senior threat researcher Ranieri Romera for the heads up on TSPY_BANKER.PHT.