• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   TROJ_WERDLOD: New Banking Trojan Targets Japan

TROJ_WERDLOD: New Banking Trojan Targets Japan

  • Posted on:April 30, 2015 at 2:31 pm
  • Posted in:Malware
  • Author:
    Hitomi Kimura (Security Specialist)
2

A new online banking malware with the same technique used in Operation Emmental has been hitting users in Japan. Detected as TROJ_WERDLOD, this new malware has been causing problems in the country since December 2014 with more than 400 confirmed victims.

This threat changes two settings that allows information theft at the network level (i.e., without using information-stealing malware). This has the advantage of not requiring a reboot or any memory-resident processes on the affected systems.

One of the two settings modified is the system’s proxy settings. This routes some of the user’s Internet traffic to a proxy controlled by the attacker. The second is the addition of a malicious root certificate to the system’s trusted root store. This allows malicious site certificates added in man-in-the-middle attacks (as done by the malicious proxy) to be used without triggering alerts or error messages.

This technique of a malicious proxy combined with an added root certificate was also used in Operation Emmental. This attack indicates that the technique has now reached Japan.

Infection vector

TROJ_WERDLOD infects users via spam mails with an attached .RTF document. The document claims to be an invoice or bill from an online shopping site. Once the .RTF file is opened, the user is instructed to double-click the icon in the document (as seen below), leading to TROJ_WERDLOD being executed.

Figure 1. Spam mail leading to TROJ_WERDLOD’s infection

Setting a malicious proxy

Once infected, it modifies the registry value at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL to refer to a proxy.pac file which has been prepared by the threat actors behind this banking Trojan. A proxy.pac file contains automatic settings for a system’s proxy servers. This may include JavaScript code to determine which proxy will be used by a system.

Figure 2. Modified registry setting

Both Internet Explorer and Google Chrome obey this system setting. Mozilla Firefox uses its own settings (stored in the pref.js file), but this malware targets that setting as well.

This proxy.pac file is obfuscated and Figure 3 shows the decrypted version. It shows how the network traffic for several domains is directed via malicious proxy servers. The enumerated domains include 26 Japanese domains including several online banks. Because of this, we believe Japanese users were specifically targeted.

Figure 3. Decrypted proxy.pac file (click to enlarge)

Adding a malicious root certificate

Routing network traffic through malicious proxy servers allows cybercriminals to carry out a main-in-the-middle (MITM) attack. However, online banks use SSL/TLS to encrypt their traffic. Using the proxy server to decrypt this encrypted traffic would result in SSL errors at the endpoint, alerting users that something is wrong.

To get around this, TROJ_WERDLOD can add its own root certificate into the trusted root store of systems. This certificate is disguised as one that belongs to a known (and trusted) root CA, but the signature does not match the legitimate certificate.

Normally, a security warning will be shown before the fake certificate is added to the trusted root store. However, TROJ_WERDLOD can automatically push the “yes” button of the error message, installing the certificate without the user noticing.

Making MITM attacks on SSL/TLS possible

This is how an attack against an online banking site targeted by the attacker would proceed. The list of targeted sites is contained within the downloaded proxy.pac file. Traffic going to any of these sites will be routed through the malicious proxy.

The malicious proxy performs a MITM attack against the secure connection. Normally, this would lead to SSL errors, as the fake SSL certificate used by the proxy would not be seen as valid. However, because of the added certificate in the root store, no error messages will be seen. The attacker can then intercept any credentials sent to the banking site; alternately the attacker might instead show a fake website and ask the user to enter their credentials.

SSL/TLS should be able to avoid MITM attacks, but in this case, the presence of the malicious root certificate obliterates the trust model. This leaves the user at risk of attack.

Countermeasures against TROJ_WERDLOD

Opening email attachments has long been recognized as an infection vector. It is advisable that users not open these attachments, unless they are explicitly expected by the recipient.

Many financial institutions have started using EV (Extended Validation) certificates. These will be issued through stricter screening system than normal SSL server certificates. Stricter screening includes checking if the issuer has been registered, or if the issuer can be contacted.

EV certificates are more reliable than typical Domain Validation certificates, which can be issued to anyone who can prove they own a domain. When the server is using an EV certificate and working normally, a “green bar” is shown in the address bar, as shown below:

Figure 5. User interface for a site with an EV certificate

Where possible, companies that already use SSL/TLS for their login pages should adopt EV certificates. Organizations that use EV certificates may, in effect, “train” their customers to spot MITM attacks, protecting both parties in the transaction.

TROJ_WERDLOD in the future

As we mentioned earlier, the use of a fake certificate and proxy was previously found in Operation Emmental. That also used fake mobile apps that stole SMS messages from online banks. It is possible that this particular behavior may be seen in the future, although Japanese banks rarely use SMS authentication.

Remove the infection

To restore an infected PC to its normal condition, the following steps need to be performed to remove the malware and undo the two setting changes.

  1. Remove the proxy automatic setting (proxy.pac) in Windows and Firefox, or change it back to the previous setting (if one was provided by the ISP and/or system administrator.)
  2. Remove the malicious root certificate installed by TROJ_WERDLOD from the the trusted root stores in Windows and Firefox. (Instructions on how to do so are provided by Microsoft and Mozilla.) This malicious root certificate has the following signature:
    • A134D31B 881A6C20 02308473 325950EE 928B34CD

Trend Micro solutions

Trend Micro endpoint solutions such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security include behavior monitoring to detect this type of threat. File reputation can detect all the malware we encountered in this attack, including TROJ_WERDLOD. Email reputation can block emails from suspicious users and malicious emails. Mail Security gateway products use the content filtering function and enable to filter emails which include executable files as attachments. Web reputation can block accesses to malicious sites where the related backdoor malware connects and communicate.

The following hashes are related to this attack:

  • 17ca16506b4a1a92b9e4c5fb809f425c7b670bb8
  • 36ca118945ee4d9ba60c9178b47ea0a5d9547b7b
  • 3860DC86D0300B9C38C4029C8C6DA2D0014695EE
  • 46070ec0b7d4e1b7d6d8152bb1d1e6e7475c5b20
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: TROJ_WERDLOD

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.