A new online banking malware with the same technique used in Operation Emmental has been hitting users in Japan. Detected as TROJ_WERDLOD, this new malware has been causing problems in the country since December 2014 with more than 400 confirmed victims.
This threat changes two settings that allows information theft at the network level (i.e., without using information-stealing malware). This has the advantage of not requiring a reboot or any memory-resident processes on the affected systems.
One of the two settings modified is the system’s proxy settings. This routes some of the user’s Internet traffic to a proxy controlled by the attacker. The second is the addition of a malicious root certificate to the system’s trusted root store. This allows malicious site certificates added in man-in-the-middle attacks (as done by the malicious proxy) to be used without triggering alerts or error messages.
This technique of a malicious proxy combined with an added root certificate was also used in Operation Emmental. This attack indicates that the technique has now reached Japan.
Infection vector
TROJ_WERDLOD infects users via spam mails with an attached .RTF document. The document claims to be an invoice or bill from an online shopping site. Once the .RTF file is opened, the user is instructed to double-click the icon in the document (as seen below), leading to TROJ_WERDLOD being executed.
Figure 1. Spam mail leading to TROJ_WERDLOD’s infection
Setting a malicious proxy
Once infected, it modifies the registry value at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL to refer to a proxy.pac file which has been prepared by the threat actors behind this banking Trojan. A proxy.pac file contains automatic settings for a system’s proxy servers. This may include JavaScript code to determine which proxy will be used by a system.
Figure 2. Modified registry setting
Both Internet Explorer and Google Chrome obey this system setting. Mozilla Firefox uses its own settings (stored in the pref.js file), but this malware targets that setting as well.
This proxy.pac file is obfuscated and Figure 3 shows the decrypted version. It shows how the network traffic for several domains is directed via malicious proxy servers. The enumerated domains include 26 Japanese domains including several online banks. Because of this, we believe Japanese users were specifically targeted.
Figure 3. Decrypted proxy.pac file (click to enlarge)
Adding a malicious root certificate
Routing network traffic through malicious proxy servers allows cybercriminals to carry out a main-in-the-middle (MITM) attack. However, online banks use SSL/TLS to encrypt their traffic. Using the proxy server to decrypt this encrypted traffic would result in SSL errors at the endpoint, alerting users that something is wrong.
To get around this, TROJ_WERDLOD can add its own root certificate into the trusted root store of systems. This certificate is disguised as one that belongs to a known (and trusted) root CA, but the signature does not match the legitimate certificate.
Normally, a security warning will be shown before the fake certificate is added to the trusted root store. However, TROJ_WERDLOD can automatically push the “yes” button of the error message, installing the certificate without the user noticing.
Making MITM attacks on SSL/TLS possible
This is how an attack against an online banking site targeted by the attacker would proceed. The list of targeted sites is contained within the downloaded proxy.pac file. Traffic going to any of these sites will be routed through the malicious proxy.
The malicious proxy performs a MITM attack against the secure connection. Normally, this would lead to SSL errors, as the fake SSL certificate used by the proxy would not be seen as valid. However, because of the added certificate in the root store, no error messages will be seen. The attacker can then intercept any credentials sent to the banking site; alternately the attacker might instead show a fake website and ask the user to enter their credentials.
SSL/TLS should be able to avoid MITM attacks, but in this case, the presence of the malicious root certificate obliterates the trust model. This leaves the user at risk of attack.
Countermeasures against TROJ_WERDLOD
Opening email attachments has long been recognized as an infection vector. It is advisable that users not open these attachments, unless they are explicitly expected by the recipient.
Many financial institutions have started using EV (Extended Validation) certificates. These will be issued through stricter screening system than normal SSL server certificates. Stricter screening includes checking if the issuer has been registered, or if the issuer can be contacted.
EV certificates are more reliable than typical Domain Validation certificates, which can be issued to anyone who can prove they own a domain. When the server is using an EV certificate and working normally, a “green bar” is shown in the address bar, as shown below:
Figure 5. User interface for a site with an EV certificate
Where possible, companies that already use SSL/TLS for their login pages should adopt EV certificates. Organizations that use EV certificates may, in effect, “train” their customers to spot MITM attacks, protecting both parties in the transaction.
TROJ_WERDLOD in the future
As we mentioned earlier, the use of a fake certificate and proxy was previously found in Operation Emmental. That also used fake mobile apps that stole SMS messages from online banks. It is possible that this particular behavior may be seen in the future, although Japanese banks rarely use SMS authentication.
Remove the infection
To restore an infected PC to its normal condition, the following steps need to be performed to remove the malware and undo the two setting changes.
- Remove the proxy automatic setting (proxy.pac) in Windows and Firefox, or change it back to the previous setting (if one was provided by the ISP and/or system administrator.)
- Remove the malicious root certificate installed by TROJ_WERDLOD from the the trusted root stores in Windows and Firefox. (Instructions on how to do so are provided by Microsoft and Mozilla.) This malicious root certificate has the following signature:
- A134D31B 881A6C20 02308473 325950EE 928B34CD
Trend Micro solutions
Trend Micro endpoint solutions such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security include behavior monitoring to detect this type of threat. File reputation can detect all the malware we encountered in this attack, including TROJ_WERDLOD. Email reputation can block emails from suspicious users and malicious emails. Mail Security gateway products use the content filtering function and enable to filter emails which include executable files as attachments. Web reputation can block accesses to malicious sites where the related backdoor malware connects and communicate.
The following hashes are related to this attack:
- 17ca16506b4a1a92b9e4c5fb809f425c7b670bb8
- 36ca118945ee4d9ba60c9178b47ea0a5d9547b7b
- 3860DC86D0300B9C38C4029C8C6DA2D0014695EE
- 46070ec0b7d4e1b7d6d8152bb1d1e6e7475c5b20
