A banking trojan, detected by ESET as Win32/Brolux.A, is targeting Japanese internet banking users and spreading through at least two vulnerabilities: a Flash vulnerability leaked in the Hacking Team hack and the so-called unicorn bug, a vulnerability in Internet Explorer discovered in late 2014. Both exploits are (still) distributed through an adult website and try to install a signed malicious binary designed to steal personal information from the victim. The spreading mechanism reminds us of another banking trojan specifically targeting Japanese financial institutions, Win32/Aibatook.
Infection
When a user visits the malicious adult website, he is exposed to an exploit targeting either Internet Explorer (CVE-2014-6332) or Flash Player (CVE-2015-5119). The cybercriminals are thus using two widely known, weaponized vulnerabilities. This is yet another reminder that software we routinely used should always be kept up-to-date and patched. A proof-of-concept code for the vulnerability affecting Internet Explorer has been available for quite some time; this campaign is reusing a slightly modified version of it.
As for the Flash vulnerability, a working exploit was released publicly earlier this year during the analysis of the Hacking Team leak. Although these vulnerabilities have already been included in major exploit kits, we do not believe that any known exploit kit is used in this campaign. The exploit itself was easy to analyze as no additional obfuscation layer was added, as is customary with exploits used in popular exploit kits. As can be seen in the screenshot below, it appears the adult website attempting to compromise users is in fact just scraping videos from another, legitimate, adult website.
The main payload will download two configuration files. The first one contains a list of 88 Japanese internet banking URLs that are monitored by the trojan, while the second contains the accompanying browser window names. Win32/Brolux.A is a simple trojan monitoring whether the user is visiting one of the targeted Japanese internet banking websites. It supports Internet Explorer, Firefox and Chrome browsers. If the user is browsing the web with IE, Win32/Brolux.A will fetch the current URL in the address bar and then compare it to the list in the first configuration file. If Firefox or Chrome is used, it will instead compare the window’s title with the list obtained in the second configuration file. If there is a match, it will spawn a new IE process, pointing to a phishing page.
The phishing page asks for login information, as well as answers to security questions. The page tries to use two trusted institutions in Japan: the Public Prosecutors Office and the Financial Services Agency (FSA). The URL mimics both institutions while the page’s content refer to the FSA.
- Please pay attention to crimes aimed at domestic internet banking!
- Security measures that customers should implement:
- In order to protect the important personal property of customers, Financial Services Agency will make each bank enhance its security.
Each bank will be required to provide customers with an updated card, and to submit information necessary to identify the customer uniquely.
- Please pay attention to crimes aimed at domestic internet banking!
- For each bank, there are some cases where answers to the questions below are not required.
- In case there is no passphrase, please ignore and click ‘Next’ button to move to the next field!
- Personal information:
- Registration number
- Passphrases
- Mail address
- Mail password
- The second PIN
- We will not use personal credit data offered from Consumer Data Industry or sensitive information, which is defined by guideline for personal information protection, 2004 Financial Services Agency Notification No. 67, for purposes other than the original intent, which is limited by Ordinance for Enforcement of the Banking Act.
Interestingly, both the Public Prosecutors Office and the FSA issued statements about this kind of abuse.
The Chinese connection
The sample of Win32/Brolux.A we analyzed uses a Chinese mutex name. Also, the phishing page contained errors and was not entirely written in Japanese: two fields in the third phishing page shown above are written in Chinese.
Finally, the analyzed Win32/Brolux.A sample was signed with the following certificate :
While Win32/Brolux uses simple techniques, it is a reminder for us all to take some precautionary measures to prevent threats like these from causing harm. First of all, Win32/Brolux is using old exploits to spread, so keeping the software running on your computer up-to-date and patched is a must. Then, being suspicious when your internet banking websites suddenly contain new content is a good safeguard against this type of attack.
Indicator of Compromise
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.