Hesperbot Targets Germany and Australia

    In September, we reported about a new banking Trojan called Hesperbot (detected as the Win32 / Spy.Hesperbot ). Cybercriminals using this tool are still active, in November new cases of using this malware were recorded.

    We have already shown that the geographical distribution of infections of this malware is quite localized in several specific countries. To infect users, spam campaigns with phishing messages were used in the native language of users in these countries. As expected, the attackers did not take a long time to start focusing on new countries. In addition to the four that we have already indicated (Turkey, Czech Republic, Portugal, Great Britain), last month new versions of malicious code were reported for users in Germany and Australia.

    Over the past month, large cases of infections were recorded in the Czech Republic, and attackers also added web injection scripts to the configuration files for the Czech botnet. The diagram below shows the distribution of Hesperbot infections by country, which we recorded in November using ESET LiveGrid.



    Hesperbot has a modular architecture and through configuration files allows attackers to target malicious code to new online banking systems. Using this configuration file, specific instructions are given to the malicious code, for example, which URLs the form grabber module should ignore. That is, when such a URL is encountered in an HTTP POST request, this module will not perform special actions to steal data entered into web forms by a user in order to obtain information about online banking accounts / credit cards and transfer them to attackers. Another list of addresses is used to determine the situations when the video capture module is triggered (it can be used as a means of bypassing virtual keyboards and helps the botnet operator to monitor the victim’s bank account balance without having to log into an online banking account). The configuration file also contains web injections, similar toZeus and SpyEye format.

    The table below shows the URLs of the online banking systems that were found in one of the latest configuration files.



    Below is a layout of a web form with which attackers try to lure a victim into installing a mobile component.





    Next, the user needs to follow the appropriate installation instructions.







    The following is a true case of a web injection on a Czech bank website.



    Note that in the case of Hesperbot, the user continues to observe the https connection icon in the browser address bar. More detailed information about the methods he uses for this can be found in our detailed analysis .

    We have already described the various Hesperbot modules in our previous analysis. The latest version of malicious code now uses two new modules. The first is called gbitcoin and tries to steal the following files:

    -% APPDATA% \ Bitcoin \ wallet.dat
    -% APPDATA% \ MultiBit \ multibit.wallet

    These files are used as Bitcoin storage facilities and store secret keys for Bitcoin and MultiBit clients. With the current high cost of the Bitcoin currency, such a decision to add such a module is understandable. A few tips on how to use Bitcoins safely can be found on our English-language blog , as well as on the Bitcoin wiki .

    The second module added by cybercriminals is even more interesting than the first. The activity of this module is determined by the Hesperbot configuration file. If relevant entries are present in it, the module can perform the following actions:

    • Stop all threads in the required process, as well as hide all its visible windows.
    • Show special messages to the user using the MessageBox function .
    • Block network communication by intercepting recv , WSARecv , send , WSASend functions from the ws2_32.dll library for a certain time.



    Fig. Hesperbot intercepted network functions.


    Fig. Hesperbot intercepted network functions.

    In this case, the hooked functions will return a WSAEACCESS error. Hesperbot uses the sch_mod helper module to implement hooks .

    So far, we have not been able to detect configuration files that activate this new functionality. A possible purpose of using such handlers is to block the operation of certain banking applications over which the Trojan cannot gain control. This practice may prompt the user to use the web interface of the browser, which is already compromised by malicious code.

    We were able to find the C&C Hesperbot control panel.



    The screenshot above shows the different banks for the countries targeted by Hesperbot, and the number of successful installations of the mobile component. As mentioned earlier, cybercriminals lure victims to the installation page of a mobile component through web injections on sites of online banking systems. The control panel shown above can provide statistics on Turkish, Australian and German botnets.

    Conclusion

    Attackers using Hesperbot have been very active lately, so we can expect corresponding financial losses for bank customers. We continue to monitor Hesperbot activity and will keep you updated on further developments.

    Also popular now: