from Securelist / All Updates
One piece of advice that often appears in closed message boards used by Russian cybercriminals is “Don’t work with RU”. This is a kind of instruction given by more experienced Russian criminals to the younger generation. It can be interpreted as: “don’t steal money from people in Russia, don’t infect their machines, don’t use compatriots to launder money.”
“Working with RU” is not a great idea where cybercriminals’ safety is concerned: people from other countries are unlikely to report an incident to the Russian police. In addition, online banking is not very popular in the RU zone – at least, it is much less popular than in the West. This means that the potential income from operating in the RU zone is lower than in other zones, while the risk is higher. Hence the rule “Don’t work with RU”.
As always, there are exceptions to the rule. A rather prominent banker Trojan – Lurk – that is the subject of this paper has been used to steal money from Russian residents for several years.
We have written about this banker Trojan before. It caught our attention almost as soon as it appeared because it used a fileless spreading mechanism – malicious code was not saved on the hard drive and ran in memory only. However, until now no detailed description of Lurk had been published.
What Makes the Trojan Different
The Lurk banker Trojan is in a league of its own when it comes to malware designed to steal money from bank customers:
- Lurk has existed and actively evolved for over five years, but it works selectively – only on those computers where it can steal money. In the more than five years that it has been active, about 60,000 bots have been registered in the C&C, which is not a huge number.
- Lurk is a versatile banker Trojan – it can steal money not only from the iBank 2 system that is used by many Russian banks but also from the unique online banking systems of some large Russian banks.
- Lurk actively resists detection: its developers work hard to minimize detections of their Trojan, while targeted attacks make it difficult to get new samples quickly.
- Based on the methods of internal organization used in the malware, its feature set and the frequency with which it is modified, it can be concluded that a team of professional developers and testers is working on the project.
This is not to say that the Trojan is particularly well written: we have seen and analyzed banker Trojans with much higher code quality. Moreover, our analysis of Lurk has shown that several programmers with different levels of qualification have worked on the code. The developers clearly made some bad choices in places, which have remained unfixed for years (needless to say, we are not going to alert the developers to their mistakes). It is worth noting that the malware writers are developing their product: we see that the quality of code has improved over time and the solutions chosen by the developers have generally improved. What sets Lurk apart is that it is highly targeted – the authors do their best to ensure that as many victims of interest to them as possible get infected without catching the attention of analysts or researchers. The incidents known to us make us believe that Lurk is successful at what it was designed for: we regularly receive reports of thefts from online banking systems and forensic investigations after the incidents reveal traces of Lurk on the affected machines.
Victims
The cybercriminals are interested in the following types of organizations:
- IT organizations working in telecommunications field;
- mass media and news aggregators;
- banks and financial organizations.
Compromised computers of IT and telecoms companies provide the cybercriminals behind Lurk with new transfer servers through which traffic goes to the attackers’ servers. Media and news aggregator sites, particularly those visited by accountants, are used to infect a large number of users from Lurk’s ‘target audience’. Banks and financial organizations are of interest to the cybercriminals in connection with their main goal – stealing money.
We won’t comment on the reasons behind the malware authors’ attempts to get a foothold on the machines inside security agencies (these organizations are also among those targeted by Lurk).
The Trojan’s targets appear to include Russia’s four largest banks.
Distribution
The well-known technique of drive-by downloads is used to distribute the Lurk banker Trojan. In addition, the cybercriminals distribute the Trojan via compromised websites with legitimate software and across corporate networks – using the psexec utility.
Infecting Using an Exploit Pack
Lurk is distributed primarily using the infamous Angler exploit pack (cybercriminals call it XXX). With this method of distribution, users don’t have to do anything in particular for their computers to become infected.
Angler is rightfully considered the flagship of exploit packs: exploits for new vulnerabilities are nearly always first implemented in Angler and only later make their way into other exploit packs (or perhaps are just borrowed’). Exploits for zero-day vulnerabilities are also often implemented in Angler, making the exploit pack particularly dangerous.
Preparation for infecting new victims with Lurk is usually performed as follows:
-
A website that is of interest to the target audience is selected. This can be a message board for accountants, a news portal, etc.
The website is infected by stealthily placing a link on it that leads to the exploit pack’s landing page. If it proves impossible to infect the site, a malicious link is placed into the materials of some ‘affiliate program’ that are shown on the site.
-
Users visiting the site are redirected to the exploit pack’s landing page without their knowledge. Angler attempts to exploit some vulnerability in the software installed on the user’s computer, which should result in the execution of Lurk’s downloader – mini.
Curiously, the link to the exploit pack’s landing page is either placed for a short time or is regularly placed and removed. For example, we have seen the message board of a well-known magazine for accountants become infected. A malicious link appeared on the message board on weekdays for exactly two hours at lunchtime. Of course, we detected the anomalous activity and notified the owners of the resource. However, by the time they read our letter the resource was clean again and they could not identify the infection. At the same time, during the period when the malicious link was shown on the message board, the Lurk owners managed to infect several new user machines.
Infecting via Compromised Websites
The second method of infection that the cybercriminals used extensively is the distribution of malicious code via legitimate websites. Apparently, this distribution method involves providing infected files to users in the RU zone only, while other users get clean files.
Infecting Machines across a Corporate Network
The scheme whereby one computer in an organization is initially infected is very popular among cybercriminals. Even if the infected machine itself is of no interest to the attackers, the computer is on the same network and on the same domain with other computers containing information that the Trojan’s owners want. In such cases, the psexec utility developed by Mark Russinovich is used to distribute the malware across the network. A special mini dropper is then used to execute the Trojan’s main module on other computers on the same network. This method can result in dire consequences for the organization, since the security of a computer containing data of interest to the cybercriminals essentially depends on that of the least protected computer on the network that is under attack.
Main Modules
The Trojan consists of several modules that have reasonably rich capabilities. The main Lurk modules are:
- mini module;
- prescanner module;
- core module (the bot’s kernel),
- core_x64 module (64 bit version of the kernel);
- mini_x64 module (64 bit version of the mini module).
The mini Module
In the first stage of an attack involving the Angler exploit pack, a vulnerability found in the user’s software is exploited and the mini module of Lurk banker Trojan is downloaded and executed. As mentioned above, the user can download the malicious file from a compromised website; another possibility is infection over the local network.
By Lurk standards, mini is a small program (100-400 KB). Its main function is to download and execute two other main Lurk modules. The address of the server used by mini is hardcoded in the program’s body. Modules are downloaded using standard GET requests. The modules downloaded by mini are encrypted, with different encryption algorithms used. The prescanner module is encrypted using the simple “xor-next” algorithm. Other modules are encrypted using the BlowFish algorithm (ECB Mode), the pseudo key for which is hardcoded into mini. The real key is created from the hardcoded pseudo key using a sequential search for one character (a brute force attack).
To avoid having to download additional modules every time mini is executed, the Trojan saves these modules in a separate encrypted file located in %APPDATA% folder. The contents of the storage is encrypted with the Blowfish algorithm, using a key that depends on the time the Windows folder was created. In addition to a plugin’s name and body, the storage file includes a list of checksums of the names of those processes in whose context the plugin is to be executed. This information is used by mini to determine which process a plugin should be injected into: for web injection modules, this is a browser process; for the ibank module, it is Java.exe, in whose context the online banking system operates.
The prescanner module
According to the operating logic of mini, the second stage of the attack is to load the prescanner module. The module is a dynamically loaded library with only one exported function – Prescan.
The cybercriminals need prescanner to make their attacks as narrowly targeted as possible. If a machine does not match the specific rules of prescanner and no online banking systems have been found on it, the module reports this to mini and the latter decides not to try to achieve persistence on the machine. In this way, the Trojan’s developers try to avoid attracting the attention of law enforcement agencies and anti-malware product developers. The following fact supports this idea: every time a new bot is registered by the C&C, a unique identifier – bot number – is assigned to the bot. In the more than five years that the banker Trojan has existed, only about 60,000 bots have been registered by the C&C.
Prescanner performs two main tasks:
- collecting information about an infected system;
- grabbing passwords from FTP clients found on the user’s machine.
After collecting information about the machine and checking whether its rules are observed, prescanner sends a report to its command server. In the cases that we have seen, the C&C used by prescanner was the same as that used by the mini downloader.
If it is decided that a machine is unsuitable for a Lurk attack based on the analysis performed, mini and prescanner modules terminate and uninstall themselves. If prescanner has made the decision to ensure persistence on the machine, it reports this to the mini downloader, which in turn downloads and executes the core module – the bot’s main body.
The core module
Core is the main module of Lurk. Its main functions are:
- network interaction with the C&C;
- executing commands received from the cybercriminals;
- logging keypresses (keylogger function) and recording video from the infected system’s screen;
- maintaining the encrypted data storage and Lurk settings;
- downloading, installing and executing the Trojan’s additional modules.
The core module is a communication channel of sorts between all the other malware modules and the command server. The C&C servers used for mini and for core are different. Core does not have a hardcoded command server address. The address of its command server is calculated using DGA – the Domain Generation Algorithm. Among other DGA input parameters, the Trojan’s authors use exchange quotation data received from Yahoo Finance. This means that the data used to generate C&C addresses cannot be known to security experts in advance. As a result, it is impossible to predict the addresses generated by Lurk.
After successfully establishing a connection, data collected by the malware and the results of executing commands are sent to the command server every five minutes, with requests for new updates and commands. All communication between the core module and the C&C is encrypted – core and C&C exchange data is in the JSON format.
The function of intercepting data entered on the keyboard is implemented in the core module in the newer versions of Lurk (starting at least from 8.9773). Keypresses are intercepted only in the context of windows that have specific words/phrases in their names. The list of these words/phrases is received from the C&C. Intercepted data is sent to the command server during the next communication session (every 5 minutes).
The main part of Lurk’s storage is located in the system registry, but some additional data belonging to the storage can be saved as a file on the hard drive. As a rule, files are used to store a large but logically uniform volume of data, such as video captured from the screen or code for web injection. But in any case, links to these additional files are always present in the main part of the storage, which is located in system registry.
Additional modules
The bot’s additional modules (plugins) are downloaded by the core module to those computers the malicious program deems most suitable. Those modules that are required on a specific computer to steal money are downloaded to that computer.
The Lurk modules currently known to us are listed in the table below.
Plugin GUID | Name | Plugin function |
{5FBA6505-4075-485b-AEC4-75767D9054C9} | module_Bifit | A set of .class-files designed to introduce changes into the normal operation of iBank 2 systems, in order to steal money. |
{0F3E7AFA-1F2B-4b0e-99D6-3716A4C3D6DE} | module_Bifit_admin | An administrative applet for iBank 2 systems modified by cybercriminals, designed to steal credentials and key files from iBank 2 systems. |
{04DB063E-1454-4a73-B2CC-4DB6D4BB6AA1} | module_ibank | This plugin is used to inject malicious applets into the iBank 2 system. These applets (along with other tools) are used to steal money from the user. |
{AABA3126-14E2-443b-A11B-FB6C1F793103} | module_w3bank | This plugin is designed to organize web injections into the pages of remote banking systems. |
{5C345F77-B111-4a85-B6D6-EC8F27F993C4} | module_w3bank_scripts | A set of scripts written in JavaScript for injection by the module w3bank; designed to steal money and data from remote banking systems. |
{50D13F6C-FC46-4fdf-A294-E149D36E54D4} | module_spider | An auxiliary module whose main task is to ensure other Lurk modules are loaded into the contexts of the processes iexplore.exe, firefox.exe, chrome.exe, opera.exe, jp2launcher.exe, java.exe before these processes are actually launched. |
{52F1F7D8-4BCC-4498-AC86-3562F81990F6} | module_vnc | This plugin provides remote access via VNC to the infected computer (for remote control over the infected computer). |
{A06B5020-0DF3-11E5-BE38-AE5E4B860EDE} | rdp-plugin-x86 | This plugin ensures that RDP is enabled on the infected computer. |
{9F786E98-3D4C-4020-8819-B97D9D4DBCC0} | highLauncher | Bot plugin loader at a high Integrity level (required for rdp-plugin-x86 and lsa-plugin-x86). |
{968A2A9A-7DF4-4E69-BF81-563AF8FFB7DC} | launcher | The loader of mini. It awaits an IPC message with the name <LurkDll>, after which it loads mini with the help of LoadLibrary(). It is used in the mini launch process while escalating privileges. |
{5B3957F2-AAAF-4FF8-94B8-83C52AFCD2A9} | lsa-plugin-x86 | The plugin for grabbing administrator and/or domain accounts (the well-known program mimikatz is used). |
We will now look at three bot modules (plugins) in more detail – they are the modules w3bank and ibank.dll – the two workhorses of the Lurk Trojan that are directly involved in stealing money – and the module_vnc module that makes it possible to remotely control the infected system using the VNC protocol.
The w3bank module
The w3bank module is designed for attacks on remote banking systems. Its main task is to perform injections into the user’s browser.
In the cases of Mozilla Firefox and Google Chrome, a new browser user profile is created at each launch. This helps hide the Trojan’s activities from the legitimate user, who will not be able to see any trace in the history of visited sites. This also helps create a separate session on a website, parallel to an already open session. In particular, this makes it possible to log in a second time to the site the legitimate user is working with, and perform actions in a parallel session that will not affect the user’s session.
The ibank module
The ibank module is designed to steal money in iBank remote banking systems.
This module runs in the context of a Java virtual machine. When a Java applet is started, it is checked to see whether it belongs to the iBank 2 system. If this remote banking system is launched, a request is sent to the C&C asking if the applet should be blocked or allowed to run. If an “allow to run” command arrives in response, a set of Java-class files is sent to replace the original classes of the iBank applet.
The infected applet enables the cybercriminals to stealthily replace the data in payment orders, leaving the original information in the printouts.
The module_vnc module
The module_vnc module provides the ability to remotely control an infected system using the VNC protocol. When this happens, the remote node gains full access to the system: it can see the image displayed on the screen, send and receive any files or data, including data from video/audio input devices, use the software installed on the machine and install new software.
This module also makes it possible to launch browser processes with the following parameters:
Mozilla Firefox: -profile
Google Chrome: –user-data-dir=
Internet Explorer: -nomerge
Each time Mozilla Firefox and Google Chrome are launched a new browser user profile is created. This helps hide the Trojan’s activities from the legitimate user, who will not be able to see any trace in the history of visited sites. This also helps create a separate session on a website, parallel to an already open session. In particular, this makes it possible to log in a second time to the site the legitimate user is working with, and perform actions in a parallel session that will not affect the user’s session.
Stages of a Lurk attack
As a result, the Trojan’s typical attack sequence is as follows:
- The user’s computer is infected by exploiting a vulnerability;
- The mini module is launched on the infected computer;
- mini downloads the prescanner module and launches it;
- prescanner steals the user’s FTP credentials;
- If an analysis finds that the infected computer is unsuitable, mini and prescanner silently terminate themselves.
- If the infected computer is of interest to the cybercriminals, the attack continues.
- If the attack continues, mini downloads and launches the core module, the bot’s main body.
- core connects to the bot’s C&C server, receives commands from the cybercriminals and executes them.
- core receives the bot’s additional plugins.
- core spies on the user: intercepts data entered from the keyboard, and captures the video stream from the screen of the infected system. Capturing is only performed for windows with specific keywords/phrases in their names. A list of keywords is received from the C&C and is primarily determined by the financial interests of Lurk’s owners.
- Using additional modules (ibank, w3bank), Lurk steals money from remote banking systems.
Example of an Attack on a Bank
During our research, we detected a Lurk attack on a major Russian bank that was using the w3bank module to perform web injections. We were able to obtain the scripts of the injections.
The files of the infection scripts have identical names for different remote online banking systems (content.min.js), but a different GUID, as the latter is generated in a random fashion.
This script intercepts the authentication information entered into the remote banking system. When the user logs in to the remote banking system, their username and password are intercepted. After successful authentication, a parallel session is created that is hidden from the user and in which Lurk scans the banking pages and searches for the card holder’s name and the phone number linked to the card. The malicious script collects all the information required to make a payment in that online banking system. This information is then sent to the C&C server whose address is identical to the network address of the server communicating with the core module.
In response, the C&C server may send a script to be executed in the browser context. We were unable to obtain such a script for this research.
The C&C server may also register an automated payment that will be executed the next time the user logs in to the online banking system.
Conclusion
The Trojan’s creators have made an effort to protect their creation from researchers, and especially to protect Lurk from an in-depth analysis, or, at the very least, greatly hinder such analysis. However, despite all the difficulties of analyzing the Trojan, Lurk is quickly detected by modern anti-malware solutions.
It’s not only anti-malware companies that are countering Lurk; the manufacturer of the iBank 2 system, BIFIT, is also taking measures to combat the attacks launched against its product. The company has implemented methods to counteract banking Trojans in its iBank 2 software and investigated their effectiveness. The BIFIT research shows that of all the protection tools implemented in iBank 2, only control over the bank’s server is effective against Lurk; all the other measures implemented in iBank 2 were successfully bypassed by the Lurk creators, testifying to their professionalism.
Lurk gives the impression of being a complex, powerful system designed to achieve its creators’ criminal goals, i.e., stealing money from users. The perseverance and focus with which they work with their Trojan suggest they are highly motivated.
Kaspersky Lab counteracts this Trojan using signature-based, heuristic and proactive detection methods. With this approach, we can even detect new specimens of Lurk before they are added to our collection. Kaspersky Lab’s products detect this Trojan with the following verdicts: Trojan.Win32.Lurk, Trojan-Banker.Win32.Lurk, Trojan-Spy.Win32.Lurk.
In conclusion, we give the following recommendations that may be hackneyed but are nonetheless relevant. The security of an online banking system is ensured by:
- Competent design and administration of an organization’s local area networks;
- Regular training on information security rules and norms for employees;
- Use of modern security software that is regularly updated.
We are confident that observing these simple rules will help ensure a high level of protection from Lurk and similar threats.
IOCS:
Registry keys:
HKCU\Software\Classes\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887}
HKLM\Software\Classes\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887}
HKCU\Software\Classes\Drive\ShellEx\FolderExtensions\{118BEDCC-A901-4203-B4F2-ADCB957D1887}
HKLM\Software\Classes\Drive\ShellEx\FolderExtensions\{118BEDCC-A901-4203-B4F2-ADCB957D1887}
Files:
Possible names of the mini module:
%APPDATA%\API32.DLL
%APPDATA%\dlg.dll
%APPDATA%\mm.dll
%APPDATA%\setup.dll
%APPDATA%\help.dll
%APPDATA%\mi.dll
%APPDATA%\http.dll
%APPDATA%\wapi.dll
%APPDATA%\ER32.DLL
%APPDATA%\core.dll
%APPDATA%\theme.dll
%APPDATA%\vw.dll
%APPDATA%\el32.dll
%APPDATA%\sta.dll
%APPDATA%\p10.dll
%APPDATA%\fc.dll
%APPDATA%\in_32.dll
%APPDATA%\pool.drv
%APPDATA%\env.dll
%APPDATA%\man.dll
Possible names of the storage module:
%APPDATA%\ddd2.dat
%APPDATA%\pdk2.dat
%APPDATA%\km48.dat
%APPDATA%\9llq.dat
%APPDATA%\ddqq.dat
%APPDATA%\834r.dat
%APPDATA%\gi4q.dat
%APPDATA%\wu3w.dat
%APPDATA%\qq34.dat
%APPDATA%\dqd6.dat
%APPDATA%\w4ff.dat
%APPDATA%\ok4l.dat
%APPDATA%\kfii.dat
%APPDATA%\ie31.dat
%APPDATA%\4433.dat
Network indicators:
C&C servers:
3d4vzfh68[.]com
43xkchcoljx[.]com
carlton69f[.]com
diameter40i[.]com
elijah69valery[.]com
embassy96k[.]com
evince76lambert[.]com
globe79stanhope[.]com
groom58queasy[.]com
hackle14strand[.]com
hotbed89internal[.]com
mechanic17a[.]com
paper17cried[.]com
plaguey42u[.]com
possum89hilarity[.]com
rhythmic81o[.]com
ri493hfkzrb[.]com
roomful44e[.]com
s8f40ocjv[.]com
scale57banana[.]com
wing97pyroxene[.]com
yf3zf90kz[.]com
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Bot.Lurk.HTTP.C&C”; flow:established,to_server; content:”POST”; pcre:”/\?hl=[a-z]+&source=[^\r\n&]+&q=[^\r\n&]+/msi”;)
MD5:
mini:
185C8FFA99BA1E9B06D1A5EFFAE7B842
2F3259F58A33176D938CBD9BC342FDDD
217DAB08B62B6F892A7D33E05E7F788C
3387E820F0F67FF00CF0C6D0F5EA2B75
36DB67CCADC59D27CD4ADF5F0944330D
6548D3304E5DA11ED2BED0551C3D6922
72D272A8198F1E5849207BC03024922D
85B66824A7F2787E87079903F0ADEBDF
B4FFAD760A52760FBD4CE25D7422A07B
C461706E084880A9F0409E3A6B1F1ECD
D0B4C0B43F539384BBDC103182E7FF42
E006469EA4B34C757FD1AA38E6BDAA72
E305B5D37B04A2D5D9AA8499BBF88940
E9CAB9097E7F847B388B1C27425D6E9A
E9DA19440FCA6F0747BDEE8C7985917F
F5022EAE8004458174C10CB80CCE5317
prescanner:
A802968403162F6979D72E04597B6D1F
core:
C15E18AFF4CDC76E99C7CB34D4782DDA
8643E70F8C639C6A9DB527285AA3BDF7
ibank.dll:
A6C032B192A8EDEF236B30F13BBFF204
4CB6CA447C130554FF16787A56A1E278
BFE73DE645C4D65D15228BD9A3EBA1B6
CC891B715C4D81143491164BFF23BF27
module_vnc:
601F0691D03CD81D94AD7BE13A10A4DB
6E5ADF6246C5F8A4D5F4F6BBFC5033B9
78EDD93CEA9BEDB90E55DE6D71CEA9C4
w3bank.dll:
1B84E30D4DF8675DC971CCB9BEE7FDF5
3A078D5D595B0F41AD74E1D5A05F7896