Win32 / Spy.Ranbyus aims to modify the Java code of remote banking systems in Ukraine

    Recently, we discovered a new modification of the banking Trojan Win32 / Spy.Ranbyus , which was already the subject of research by our analysts. One of his modifications was mentioned by Alexander Matrosov in a post devoted to the exploitation of smart cards in banking Trojans. The modification described there has interesting functionality, since it shows the possibility of bypassing authentication operations when making payment transactions using smart card devices. In the same modification, a search code for active smart cards or their readers was found, after which the bot sent information about them to the C&C command center with a description of the type of devices found.

    ESET analysts carefully monitored the latest modifications to the family of this trojan and found thatRanbyus began to specialize in modifying Java code in one of the most popular remote banking systems in Ukraine, namely, BIFIT iBank 2 . At the time of our analysis, ESET Virus Radar statistics showed that Ukraine had the highest number of Ranbyus infections.



    A distinctive feature of this banking Trojan is that it does not have a web-injection mechanism that is usually used in threats of this kind (for example, the well-known Zeus), and instead implements an attack on a specific banking / payment software, i.e., used in making various kinds of payments and other banking operations. Win32 / Spy.Ranbyus collects information about the infected system (active processes, OS version, etc.) and sends it to the command server (C&C). The main functionality for stealing money is based on a set of different form grabbers aimed at special payment software. For example, grabbers for software developed for the Java platform look like this:


    Java grabber embed code.

    Our colleague Alexander Matrosov has already describedsimilar functionality about Java patch in another family of banking malware - Carberp. Carberp has special functionality for modifying a Java Virtual Machine (JVM) and tracking software activity for making payments. Ranbyus takes a different approach; it modifies Java code only for a specific application, without resorting to modifying the JVM. For example, Ranbyus can modify the layout of forms to hide information about fake transactions implemented through a trojan.


    Java methods tracked by Ranbyus.

    In addition to this, Win32 / Spy.Ranbyus can block the actions of the remote banking system software and display such a message in Russian.



    Ranbyus is aimed only at Ukrainian and Russian banks and we did not observe similar attacks in other regions. The panel of the botnet’s control center looks like this:



    Carberp cybercriminal group is a leader in the criminal market in Russia and has already secured a safe presence in the 20 most active threats in Russia for the whole year. At the same time, Ranbyus occupies a leading position among other banking malware in Ukraine.

    Also popular now: