Caphaw banking Trojan attacks European banks using a web injection plugin

    Win32 / Caphaw banking malware (also known as Shylock ) was used by cybercriminals to attack large European banks that lasted more than a year. This threat began to spread in the fall of 2011. Our colleague Alexander Matrosov carried out a detailed analysis of this banking trojan, and we want to present the most interesting findings made during this analysis. Win32 / Caphaw is distinguished from other similar threats by the fact that it is one of the few Trojans that can automatically steal money from a bank account when the user is actively working with this account.

    The distribution geography shows that Win32 / Caphaw prevails in England, Italy, Denmark and Turkey. According to our ESET Virus Radar statistics, the period of time that the Trojan has the most activity is December 2012. The following screenshot shows the geography of Win32 / Caphaw distribution over the last week (at the time of the study).

    Fig. Geography of prevalence of Caphaw.


    Win32 / CaphawIt has the capabilities of a typical banking malware, and also has the ability to verify the environment in which they try to run it. Such checks, obviously, are aimed at preventing the dropper from starting up in a system designed for automatic analysis of samples. We found that Caphaw embeds its code in all running processes, and has a multi-threaded architecture for executing tasks sent from C&C. This code can use the interprocess communication mechanism (IPC) using named pipes.

    Fig. Creating a stream in which IPC interaction will take place.

    Caphaw sets up many hooks for system functions. Of particular interest is the intercept function for advapi32! InitiateSystemShutdownEx. It can control the process of rebooting and shutting down the system, and also allows malicious code to perform its reinstallation in the system.

    Fig. Intercepting the advapi32! InitiateSystemShutdownEx function . The Trojan is reinstalled in the system.

    All lines in the body of Caphaw are encrypted using a simple algorithm.

    Fig. String decryption code.

    Caphaw checks the OS environment for whether they are trying to run it in a virtual machine environment (VMware, VirtualBox, and VirtualPC). Malicious code checks the names of running processes and drivers on the system. Names are checked using a pre-calculated hash.

    Fig. A function that calculates the hash of a string when checking names.

    For example, a VMware environment check is as follows.

    Fig. Verification code for VMware environment; names of running processes and drivers are checked against a pre-calculated hash.

    Every few hours, dropper files are repackaged using a special service that provides the ability to use a polymorphic cryptor for these purposes. This approach avoids the static signature detection by anti-virus scanners of these droppers. The URL links from which these droppers are then distributed look like this:

    Fig. Links leading to the installation of Caphaw droppers.

    The format of such URLs is:

    hxxps: // [random subdomain]. [Domain] / [DIR] / [DIR-random string] / [dropper file]? R = [random number]

    To generate random numbers, Caphaw uses the following algorithm:

    Fig. The random number generation algorithm in Caphaw.

    Caphaw uses C&C to download additional modules, web injects, configuration files, and instructions. At the same time, URL links for working with C&C look like:

    Fig. URL links that Caphaw uses to interact with C&C.

    Such URLs that are used to refer to C&C are formed according to a special pattern.

    hxxp: // [URL format] / [key] & id = [bot id] & inst = [master or slave] & net [botnet id] & cmd = cfg The

    response from the C&C server is:

    In this case, a special template is also used:

    hxxp: // [random subdomain]. [domain] / [DIR] / [file_name.jpg]? r = [random number]

    The bot configuration file is encrypted using RC4 and Base64. The encryption scheme is: Base64 (RC4 (cfg_data)). After decryption, the configuration file has the form:

    Fig. The configuration file after decryption.


    Win32 / Caphaw has the ability to download and execute additional plugins. The plugins that we observed during the botnet tracking are shown in the table.

    The plugin that is used to distribute Caphaw via Skype has been described by our colleagues from CSIS . Another interesting plugin is the MBR bootkit module (defined by ESET as Win32 / Wolcape.A), which is downloaded to infected machines by special request from C&C. The bootkit is based on an MBR modification and provides for loading an unsigned driver. The interception function for the int13 interrupt (the interrupt is used to read sectors from the hard disk) for this bootkit is as follows:

    Fig. Interception on int13.

    Location of the malicious driver:

    The driver is encrypted using RC4 with a key length of 256 bytes. The graph of calls to the function that loads the driver has the form:

    Fig. A graph of the function that loads the driver into the system.

    The driver intercepts typical system functions in the kernel to hide files and processes. The most interesting of them intercept functions from objects \ Driver \ nsiproxy and \ Device \ Tcpto gain control over the passing network traffic. The bootkit configuration file is encrypted in a similar manner, as is the case with the above. It also uses a similar XML structure:

    Fig. Bootkit configuration file.

    Web injects and theft scheme

    Web injects use the same form for configuration data, but the encryption algorithm for them is different. In a decrypted form, web injects are as follows:

    The following is a list of banks from the latest web inject configuration files:

    One of the most interesting details in the code that is embedded in a web page when visiting an online bank is the substitution of all phone numbers into fake numbers, belonging to intruders (Merchant of Malice: Trojan.Shylock Injects Phone Numbers into Online Banking Websites ). This substitution is based on a special configuration of web injects and has a unique structure for each individual bank.


    Win32 / Caphaw is an interesting family of banking trojans. This malicious code is one of the few that has the functionality to automatically steal money when a user works with his bank account. In fact, it is very difficult for an infected user to recognize the fact of theft of money, because he sees fake forms on the online banking page. We previously tracked similar functionality in such banking Trojan families as Carberp ( Carberp Gang Evolution ), Gataka (Win32 / Gataka banking Trojan - Detailed analysis ), Win32 / Spy.Ranbyus ( Win32 / Spy.Ranbyus aims to modify the Java code of remote banking systems in Ukraine ) and Tinba.

    Also popular now: