An old banking Trojan has been operating in Europe on a low level has spiked in activity after migrating to Japan. Cybercriminals are using local brand names such as local ISP providers and legitimate looking addresses to fool users into downloading malware that can steal information by monitoring browsers, file transfer protocol (FTP) clients, and mail clients. Its targets? Mostly rural banks.
BEBLOH is a banking Trojan that has been around since as early as 2009. It has outlived several competitors including Zeus, and SpyEye. It is designed to steal money from unsuspecting victims right off their bank accounts without them even noticing. BEBLOH always came up with new defensive measures to avoid AV products, and this time is no different. BEBLOH is also known for hiding in memory and creating a temporary new executable file upon shutdown, and deleting said file after re-infecting the system.
Local Issue
Currently in Japan, most spam written in Japanese lead to banking Trojans rather than other malware like ransomware. Based on a press release (in Japanese) by Japan’s National Police Agency last March 3, 2016, rural banks and credit unions banks have been targeted apart from major banks. They have reported that 2015 reflected the country’s biggest loss to banking Trojans amounting to about ¥2.65 billion or USD 25.8 million. With BEBLOH adding to the fray, Japan could face bigger problems with banking Trojans.
Currently, we have observed that URSNIF and BEBLOH were active in Japan, along with other traditional banking Trojans like ZBOT. From almost zero detections for the first eleven months of 2015, BEBLOH started its campaign with 324 detections Japan on December 2015. Detections reached as high as 2,562 on March 2016, the same month as the press release above was published.
Everyone’s a possible target
BEBLOH targets both end-users and enterprise employees in its campaign. We saw emails sent to company email accounts as well as private accounts. And subjects differ from personal matters such as loans, shopping, and deliveries, to professional subjects like human resources. This behavior makes for a wider spread and infection.
Translation: “This mail is sent with an electronic signature to enhancing security.
This is to inform you that we have received remittance on March 3, 2016.
electric signature (Digital signature)”
Translation: “complete image of records”
Figure 1. Sample spam emails sent to individuals and groups
New Routines
BEBLOH changes its packers quickly and frequently. Some versions follow a step in its unpacking to process hollowing on its own process, while other versions unpack in its own memory before process hollowing on a legitimate process (ex. explorer.exe/iexplore.exe). This allows the malware to evade file detection as the detection patterns need to keep up with BEBLOH’s packer changes.
Once installed, BEBLOH connects to a command and control (C&C) server, and has types of responses: update itself, sleep, and download web inject configuration. As mentioned, BEBLOH can steal information and use this to pillage victims’ bank accounts.
So far, we have observed that TSPY_URSNIF, a spyware that monitors browsers, file transfer protocol (FTP) clients, and mail clients. Take note that all banking Trojans run in the same or in a similar way.
Apart from the spyware, BEBLOH also downloads BKDR_PUSHDO, a spambot malware.
While communicating with the C&C server, we saw that the URLs used on its download routine changed depending on the reply of the C&C server. We have observed samples that had three different download URLs on three separate days. The responses from the URLs are usually encrypted. But when decrypted, they use the following format: CV {value}/r/n>DI/r/n>LD {URL}.
Figure 2. Decrypted communication from C&C server
For now, we can see that BEBLOH is monitoring 17 different Japanese banks. These comprise of rural banks, credit union banks, online banks, and major banks. By targeting smaller banks, the attackers hope that their actions would go unnoticed. Attackers are able to take advantage of smaller banks with less sophisticated security. It seems that this has been the banking Trojan landscape of Japan in 2016.
Trend Micro endpoint solutions such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security can protect users from this threat by detecting malicious files, and spammed messages as well as blocking all related malicious URLs.
For enterprise, our Trend Micro Deep Discovery Email Inspector uses advanced detection techniques to identify and block spear phishing emails which is used in these attacks to fool users into downloading and opening malicious attachments. It can block malicious email attachments such as office documents with macro malware, PDFs, executables, scripts, and more. This can also block malicious URLs embedded in body or subject of messages and URLs embedded within documents.
The following hashes are related to this attack:
- 342f10ba182897ef5eb58a10b8d5173a47d04760 – TSPY_BEBLOH.RLS
- 8ca281b70f1a7a9017bd29ada84ef28e6e6cc2c4 – TSPY_BEBLOH.YYS
- cd34148a1ce37b13389647674653e981cfacd522 – TSPY_BEBLOH.YYU
- d628a73fba0782df945db4e2887cf9981a5814c8 – TSPY_BEBLOH.TZZ
With additional insights by Yuka Higashi
