We have already written about Hesperbot; this threat is a new banking malware and has a modular architecture. Attackers used it to carry out attacks on users in various countries, including Turkey, the Czech Republic, Portugal and the UK. The main goal of the attacks was to steal confidential online banking data of users and install a mobile component of malicious code on devices running Symbian, Android, and Blackberry. Cybercriminals used convincing phishing schemes to lure users to malicious links, making their approach even more practical.
The user is compromised when clicking on a malicious link. Below is a scheme used by attackers.
Rice. User compromise scheme.
The main task of the dropper is to inject a payload (payload or core) into the context of the trusted explorer.exe process. This code is then downloaded from the network and executed by additional modules.
Win32/Spy.Hesperbot is a cross-platform threat and the various modules listed are available in x86 and x64 variants. Various internal functions of some modules are available for use in other modules through a special table of virtual methods (vtable). Most of Hesperbot's code is written in C and compiled using Visual Studio 2010 without using the run-time library. The Dropper
payload
can use one of the following methods to inject the core component into the explorer.exe address space:
After successful implementation, the core component begins its work in the system: it is responsible for interacting with the C&C management server, launching auxiliary modules and writing autoload parameters of malicious code to the system registry. To work with C&C, Hesperbot uses a list of URLs hardcoded into the body (which differ in the case of different countries and botnets) or generates a list of new addresses using a special DGA algorithm. The malicious code sends the following information to the C&C server:
Rice. Czech botnet ID.
The server response may contain the following information or files:
The malicious code obtains a list of active smart cards on the system using the following APIs: SCardEstablishContext , SCardListReaders and SCardConnect. Unlike other, more complex threats, Win32/Spy.Hesperbot only collects smart card names and has no ability to interact with them.
Uploaded files (configuration files and plugin executables) are encrypted using the Twofish algorithm, whose 256-bit hash is based on the data:
To store data downloaded from C&C and other auxiliary files (for example, a keylogger log file), Hesperbot creates a directory with an arbitrary name in the %APPDATA% folder.
The Core module has the ability to inject its code not only into explorer.exe, but also into other running processes. The malicious code uses an undocumented trick to hook UserNotifyProcessCreate inside csrss.exe to make sure its code is active in every running process.
The keylogger component intercepts keystrokes through the GetMessage and TranslateMessage functions. Next, the characters are saved to a log file with information about the process and the name of the window in which they were entered. After which the file is sent to the attackers’ server.
The module for capturing desktop screenshots and videos is called httpi. Video capture was also used in the Zeus banking Trojan. This feature allows attackers to see a more complete picture of what is happening in the user’s system. The feature is implemented using the AVIFileCreateStream, AVIFileMakeCompressedStream, AVIStreamWrite APIs from the Avifil32.dll library.
Rice. Video creation code.
Desktop screenshots are created using the functions of the Gdi32.dll library.
The possibility of VNC connection was previously observed in the famous Trojan program Carberp. It allows you to create a VNC server on the side of the infected computer, which the attacker will have access to. Since, unlike RDP, VNC does not perform a user log off operation, an attacker can connect to the victim while it is running. This is achieved by creating a secondary desktop (CreateDesktop) that is invisible to the user. This module allows an attacker to launch a browser process installed on the system. In this case, the attacker gains access to his saved data (cookies, sessions, etc.).
Network communication and web injections
Hesperbot is not the first banking malware that uses interceptions of functions of the WinSock library ( send , WSASend and others) and the WinInet library ( HttpSendRequest , InternetReadFileand others) to gain full control over the user’s network HTTP/HTTPS traffic. Similar mechanisms were used in the well-known Zeus and SpyEye Trojans. Using this approach allows attackers to carry out web-injects, obtain data entered into web forms (form-grabbing) and carry out other operations to steal information that the attackers need, which the user enters into pages opened in a web browser. The listed methods are called “Man-in-the-Browser” attack. Win32/Spy.Hesperbot uses a slightly different approach when carrying out an attack on a user, which we have already seen in another banking Trojan, Win32/Gataka.
Traffic interception and HTML code injection are carried out by the nethk, httphk and httpi modules, which were mentioned above in the component table.
Rice. Interaction of various Hesperbot modules.
The nethk module is the first downloadable malicious code plugin. It is downloaded by the core component . Win32/Spy.Hesperbot performs a man-in-the-middle attack by creating a local proxy through which it can control all connections initiated by the browser process.
Rice. Proxy creation code.
Rice. Internet Explorer network connections through the installed Hesperbot proxy.
The Trojan program, using the nethk module , creates a proxy on an arbitrary port with the address 127.0.1.1 and intercepts the following functions of the mswsock.dll library: WSPSocket , WSPIoctl, WSPConnect , WSPCloseSocket . Pointers to these functions are modified in the WSPPROC_TABLE table . To understand how this redirect works, below is a malicious version of WSPConnect .
Rice. A malicious variant of the WSPConnect API.
For example, if a user wanted to log into an online banking system and the browser tries to establish a secure connection to the bank's website, the connection request would be intercepted by the Hesperbot code to create a local proxy, after which the online banking system would deal with the attackers' socket.
Rice. How a malicious proxy works.
The callback function of the httphk module is called every time the proxy intercepts a request from the browser before passing it on to the real server. Additionally, httphk is called every time the proxy intercepts a request response from the real server before passing it on to the browser. Next, httphk continues to work with traffic.
There are differences in the processing of HTTP and HTTPS traffic. In the case of a simple HTTP connection, data in request/response mode is simply transferred from httphk and back. In the case of a secure HTTPS connection, the malicious code uses the capabilities of the nethk module in order to “get rid of encryption.” When an HTTPS request initiated by the browser is intercepted (the request data is already encrypted using a fake certificate, see below how), it is decrypted and this data is sent to the httphk module via a callback function and then encrypted using the real server certificate (i.e. certificate of the bank's website), after which they are sent to their destination. When the server response, i.e. HTTPS response, arrives, the proxy decrypts it using the real certificate and passes this data to httphk to be encrypted with a fake certificate before passing it to the browser.
Thus, by using a "man-in-the-middle" proxy, Win32/Spy.Hesperbot can access the victim's outgoing HTTPS traffic before it is encrypted with the real certificate. Zeus and SpyEye use a similar approach, but their MitB implementation differs from that used in Hesperbot.
The malicious code gives the browser its certificate to simulate an HTTPS connection. The nethk module has its own self-signed SSL certificate on board.
Rice. SSL certificate inside nethk.
Rice. An example of using a fake Hesperbot certificate. On a regular system, you can see the real Google certificate instead of the fake one.
In order to fool the browser's certificate validity checker, malicious code intercepts the corresponding certificate checker functions. The implementation of such interceptions depends on the victim's browser. The table below shows the browsers supported by Win32/Spy.Hesperbot and the functions they intercept.
The authors of the malicious code used process name hashes instead of string-based comparisons to complicate the analysis.
The screenshot below shows the CertVerifyCertificateChainPolicy interception code . The httphk
module is responsible for parsing HTTP protocol data. When this module's callback function is called, it parses HTTP headers, data, and fills its internal data structures. In the future, this structure will be accessible through the httpi module . httphk provides two callback functions to call httpi: httpi_request_callback and httpi_response_callback. The httpi module performs modification of HTTP protocol data in accordance with the settings of the configuration file. When it calls httpi_request_callback the following actions are performed.
When calling httpi_response_callback, the Trojan program checks the HTTP response code for the value 200 (OK). After this, the configuration file is read and if web injections are specified for the site, they are inserted into the web page.
The figure below shows a decrypted configuration file that was used in the Portuguese botnet. You will notice that the first group of domains will be ignored by the httpi module. This suggests that Facebook and Google account data is not considered as valuable to attackers as the online banking system account data that follows.
It seems that the people who wrote the code for the web-inject scripts speak Russian, as evidenced by the accompanying comments. However, it should be noted that the scripts could have been written by completely different people than the authors of Win32/Spy.Hesperbot. Web-inject scripts are quite similar across different families of malware and their use is quite common among cybercriminals. The Hesperbot
mobile component
is not the first such malware to use mobile components (ZitMo or SpitMo) to bypass the SMS-based Mobile Transaction Authentication Number. A similar banking transaction confirmation system is widely used in many European countries and Russia.
Hesperbot implements special JS scripts into web pages through which the user is prompted to install a mobile phone application. The compromised user is offered a special list of phone models and, after entering the phone number, is given a link to download a malicious mobile application. The application exists in versions for Symbian, Android and Blackberry.
We were able to analyze malicious components for the Symbian and Android platforms. They have similar capabilities. First, there is the “activation procedure”. A special web injection on the infected computer generates a random “activation number” that is displayed to the user. Next, he will need to duplicate this number on his device when such an action is offered by the mobile application. The mobile application displays a “response code”, which is calculated through an activation code. The user must enter this code back into the web page to confirm. The malicious script is equipped with the same algorithm for calculating the code as the mobile one. Thus, by imitating a trusted application on the user's mobile device and using a fake web page on his computer, attackers can bypass the code verification system for online banking transactions.
Rice. Screenshot of a malicious component for Android [ Android/Spy.Hesperbot.A ].
This malicious mobile application registers a special service that listens for incoming SMS messages and transmits them to the attacker’s number. Thus, the attacker will receive the real code to carry out a transaction or other banking operation.
ESET antivirus apps detect mobile malware like Android/Spy.Hesperbot.A and SymbOS9/Spy.Hesperbot.A.
(c) https://habr.com/ru/companies/eset/articles/193318/
The user is compromised when clicking on a malicious link. Below is a scheme used by attackers.
Rice. User compromise scheme.
The main task of the dropper is to inject a payload (payload or core) into the context of the trusted explorer.exe process. This code is then downloaded from the network and executed by additional modules.
Win32/Spy.Hesperbot is a cross-platform threat and the various modules listed are available in x86 and x64 variants. Various internal functions of some modules are available for use in other modules through a special table of virtual methods (vtable). Most of Hesperbot's code is written in C and compiled using Visual Studio 2010 without using the run-time library. The Dropper
payload
can use one of the following methods to inject the core component into the explorer.exe address space:
- Start a new instance of explorer.exe and patch its entry point bytes using ntdll!NtGetContextThread and ntdll!NtWriteProcessMemory. The entry point will then point to the malware code.
- Inject your code into an already existing explorer.exe process using a method based on the Shell_TrayWnd / SetWindowLong / SendNotifyMessage functions. This method was used in the PowerLoader malicious code, which was previously described by Alexander Matrosov.
- Inject the code into explorer.exe using the normal CreateRemoteThread function .
After successful implementation, the core component begins its work in the system: it is responsible for interacting with the C&C management server, launching auxiliary modules and writing autoload parameters of malicious code to the system registry. To work with C&C, Hesperbot uses a list of URLs hardcoded into the body (which differ in the case of different countries and botnets) or generates a list of new addresses using a special DGA algorithm. The malicious code sends the following information to the C&C server:
- The bot's name, which is based on the Computer Name.
- The name of the botnet, which is formed based on the country where the threat was targeted by the attackers. For example, "cz-botnet", "tr-botnet", "pt-botnet", "uk-botnet" and "super-botnet" (the latter was used in early beta versions).
- IP addresses of network adapters.
- Names of installed smart cards.
- Information about installed Hesperbot plugins.
Rice. Czech botnet ID.
The server response may contain the following information or files:
- Configuration file.
- Plugin files.
- An arbitrary executable file to be launched later.
- New version of Hesperbot.
The malicious code obtains a list of active smart cards on the system using the following APIs: SCardEstablishContext , SCardListReaders and SCardConnect. Unlike other, more complex threats, Win32/Spy.Hesperbot only collects smart card names and has no ability to interact with them.
Uploaded files (configuration files and plugin executables) are encrypted using the Twofish algorithm, whose 256-bit hash is based on the data:
- Computer Name.
- The "InstallDate" registry key value [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion].
- OS versions.
- Processor architectures (x86, x64, IA64).
- The "MachineGuid" registry key value [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography].
- The "DigitalProductId" registry key value [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion].
To store data downloaded from C&C and other auxiliary files (for example, a keylogger log file), Hesperbot creates a directory with an arbitrary name in the %APPDATA% folder.
The Core module has the ability to inject its code not only into explorer.exe, but also into other running processes. The malicious code uses an undocumented trick to hook UserNotifyProcessCreate inside csrss.exe to make sure its code is active in every running process.
The keylogger component intercepts keystrokes through the GetMessage and TranslateMessage functions. Next, the characters are saved to a log file with information about the process and the name of the window in which they were entered. After which the file is sent to the attackers’ server.
The module for capturing desktop screenshots and videos is called httpi. Video capture was also used in the Zeus banking Trojan. This feature allows attackers to see a more complete picture of what is happening in the user’s system. The feature is implemented using the AVIFileCreateStream, AVIFileMakeCompressedStream, AVIStreamWrite APIs from the Avifil32.dll library.
Rice. Video creation code.
Desktop screenshots are created using the functions of the Gdi32.dll library.
The possibility of VNC connection was previously observed in the famous Trojan program Carberp. It allows you to create a VNC server on the side of the infected computer, which the attacker will have access to. Since, unlike RDP, VNC does not perform a user log off operation, an attacker can connect to the victim while it is running. This is achieved by creating a secondary desktop (CreateDesktop) that is invisible to the user. This module allows an attacker to launch a browser process installed on the system. In this case, the attacker gains access to his saved data (cookies, sessions, etc.).
Network communication and web injections
Hesperbot is not the first banking malware that uses interceptions of functions of the WinSock library ( send , WSASend and others) and the WinInet library ( HttpSendRequest , InternetReadFileand others) to gain full control over the user’s network HTTP/HTTPS traffic. Similar mechanisms were used in the well-known Zeus and SpyEye Trojans. Using this approach allows attackers to carry out web-injects, obtain data entered into web forms (form-grabbing) and carry out other operations to steal information that the attackers need, which the user enters into pages opened in a web browser. The listed methods are called “Man-in-the-Browser” attack. Win32/Spy.Hesperbot uses a slightly different approach when carrying out an attack on a user, which we have already seen in another banking Trojan, Win32/Gataka.
Traffic interception and HTML code injection are carried out by the nethk, httphk and httpi modules, which were mentioned above in the component table.
Rice. Interaction of various Hesperbot modules.
- nethk – used to deploy a local proxy, intercepts functions for working with sockets when monitoring connections; contains hooks for SSL certificate checking functions in the browser.
- httphk – used when parsing HTTP traffic.
- httpi – used for taking screenshots, capturing videos, capturing form data and injecting HTML code (web-injects).
The nethk module is the first downloadable malicious code plugin. It is downloaded by the core component . Win32/Spy.Hesperbot performs a man-in-the-middle attack by creating a local proxy through which it can control all connections initiated by the browser process.
Rice. Proxy creation code.
Rice. Internet Explorer network connections through the installed Hesperbot proxy.
The Trojan program, using the nethk module , creates a proxy on an arbitrary port with the address 127.0.1.1 and intercepts the following functions of the mswsock.dll library: WSPSocket , WSPIoctl, WSPConnect , WSPCloseSocket . Pointers to these functions are modified in the WSPPROC_TABLE table . To understand how this redirect works, below is a malicious version of WSPConnect .
Rice. A malicious variant of the WSPConnect API.
For example, if a user wanted to log into an online banking system and the browser tries to establish a secure connection to the bank's website, the connection request would be intercepted by the Hesperbot code to create a local proxy, after which the online banking system would deal with the attackers' socket.
Rice. How a malicious proxy works.
The callback function of the httphk module is called every time the proxy intercepts a request from the browser before passing it on to the real server. Additionally, httphk is called every time the proxy intercepts a request response from the real server before passing it on to the browser. Next, httphk continues to work with traffic.
There are differences in the processing of HTTP and HTTPS traffic. In the case of a simple HTTP connection, data in request/response mode is simply transferred from httphk and back. In the case of a secure HTTPS connection, the malicious code uses the capabilities of the nethk module in order to “get rid of encryption.” When an HTTPS request initiated by the browser is intercepted (the request data is already encrypted using a fake certificate, see below how), it is decrypted and this data is sent to the httphk module via a callback function and then encrypted using the real server certificate (i.e. certificate of the bank's website), after which they are sent to their destination. When the server response, i.e. HTTPS response, arrives, the proxy decrypts it using the real certificate and passes this data to httphk to be encrypted with a fake certificate before passing it to the browser.
Thus, by using a "man-in-the-middle" proxy, Win32/Spy.Hesperbot can access the victim's outgoing HTTPS traffic before it is encrypted with the real certificate. Zeus and SpyEye use a similar approach, but their MitB implementation differs from that used in Hesperbot.
The malicious code gives the browser its certificate to simulate an HTTPS connection. The nethk module has its own self-signed SSL certificate on board.
Rice. SSL certificate inside nethk.
Rice. An example of using a fake Hesperbot certificate. On a regular system, you can see the real Google certificate instead of the fake one.
In order to fool the browser's certificate validity checker, malicious code intercepts the corresponding certificate checker functions. The implementation of such interceptions depends on the victim's browser. The table below shows the browsers supported by Win32/Spy.Hesperbot and the functions they intercept.
The authors of the malicious code used process name hashes instead of string-based comparisons to complicate the analysis.
The screenshot below shows the CertVerifyCertificateChainPolicy interception code . The httphk
module is responsible for parsing HTTP protocol data. When this module's callback function is called, it parses HTTP headers, data, and fills its internal data structures. In the future, this structure will be accessible through the httpi module . httphk provides two callback functions to call httpi: httpi_request_callback and httpi_response_callback. The httpi module performs modification of HTTP protocol data in accordance with the settings of the configuration file. When it calls httpi_request_callback the following actions are performed.
- Capture videos and screenshots of your desktop. The malicious code reads the configuration file data and checks the requested URL. If there is a match, the video is captured or screenshots are taken.
- Retrieving form data (form grabbing). The malicious code checks the content-type parameter in the HTTPS protocol POST request header to see if it matches “application/x-www-form-urlencoded” or “text/plain”. If there is a match, it is assumed that data is being transferred for the login form. If this URL is specified in the configuration file, the data is written to the log file.
When calling httpi_response_callback, the Trojan program checks the HTTP response code for the value 200 (OK). After this, the configuration file is read and if web injections are specified for the site, they are inserted into the web page.
The figure below shows a decrypted configuration file that was used in the Portuguese botnet. You will notice that the first group of domains will be ignored by the httpi module. This suggests that Facebook and Google account data is not considered as valuable to attackers as the online banking system account data that follows.
It seems that the people who wrote the code for the web-inject scripts speak Russian, as evidenced by the accompanying comments. However, it should be noted that the scripts could have been written by completely different people than the authors of Win32/Spy.Hesperbot. Web-inject scripts are quite similar across different families of malware and their use is quite common among cybercriminals. The Hesperbot
mobile component
is not the first such malware to use mobile components (ZitMo or SpitMo) to bypass the SMS-based Mobile Transaction Authentication Number. A similar banking transaction confirmation system is widely used in many European countries and Russia.
Hesperbot implements special JS scripts into web pages through which the user is prompted to install a mobile phone application. The compromised user is offered a special list of phone models and, after entering the phone number, is given a link to download a malicious mobile application. The application exists in versions for Symbian, Android and Blackberry.
We were able to analyze malicious components for the Symbian and Android platforms. They have similar capabilities. First, there is the “activation procedure”. A special web injection on the infected computer generates a random “activation number” that is displayed to the user. Next, he will need to duplicate this number on his device when such an action is offered by the mobile application. The mobile application displays a “response code”, which is calculated through an activation code. The user must enter this code back into the web page to confirm. The malicious script is equipped with the same algorithm for calculating the code as the mobile one. Thus, by imitating a trusted application on the user's mobile device and using a fake web page on his computer, attackers can bypass the code verification system for online banking transactions.
Rice. Screenshot of a malicious component for Android [ Android/Spy.Hesperbot.A ].
This malicious mobile application registers a special service that listens for incoming SMS messages and transmits them to the attacker’s number. Thus, the attacker will receive the real code to carry out a transaction or other banking operation.
ESET antivirus apps detect mobile malware like Android/Spy.Hesperbot.A and SymbOS9/Spy.Hesperbot.A.
(c) https://habr.com/ru/companies/eset/articles/193318/
