Malware does not contact a C&C server for instructions

Dec 19, 2014 00:21 GMT  ·  By

A Trojan targeting bank customers in South Korea relies on an interesting routine to direct users to fake websites claiming to belong to financial institutions, by accessing comments on certain pins on Pinterest to get the required IP address.

Instructions for this type of action are usually delivered through command and control (C&C) servers, but in this case, the malware pulls the information embedded in comments posted on visual discovery platform Pinterest.

The attack works only with Internet Explorer

Detected as TSPY_BANKER.YYSI by Trend Micro products, the Trojan is served to the victim through an exploit kit delivered via an iframe tag injected into a compromised legitimate website, which then redirects to another compromised location hosting the web-based attack tool.

“Once this malware is present on an affected system, users who access certain banking websites using Internet Explorer are automatically redirected to a malicious site. The site contains a phishing page that asks users to input their banking credentials,” Joseph Chen, fraud researcher at Trend Micro, says in a blog post.

He points out that the attack scenario is valid only for users relying on Internet Explorer for online banking transactions.

Among the targeted bank websites are those of Hana Bank, Nonghyup Bank, the Industrial Bank of Korea (IBK), Shinhan Bank, Woori Bank, and Kookmin Bank.

Comments on Pinterest contain encoded redirect IP addresses

In order to direct the victims to the fake versions of the websites, the authors of the threat customized them to decode messages left on Pinterest. The IPs are available under the format 104A149B245C120D, where each letter represents the dot in the address.

The researcher have found that the cybercriminals use Sweet Orange exploit kit to serve the Trojan, leveraging an Internet Explorer vulnerability identified as CVE-2013-2551, widely available in other malicious kits.

They also take advantage of CVE-2014-0322, also for Microsoft’s web browser, which is present in FlashPack exploit kit as well.

However, another weakness, tracked as CVE-2014-6332, included in Gongda exploit kit, has been employed in the latest attack observed by the researchers.

All three glitches were patched, the first one in May 2013, the second in September 2014, and the third in November 2014, but most users fail to apply the fixes as they are delivered by the manufacturer, allowing a way in for the intruders.

The identity of the attackers is unknown, but the researchers discovered that the most recent exploit was created by Chinese speakers, something that is not at all unusual. Furthermore, they observed that the Trojan communicated statistical data to URLs that also contained a Chinese word, “tongji,” which means “statistic.”

Trojan infection tactics (5 Images)

Attack scenario on South Korean users
Pinterest comments containing the IP address of the fake bank websitesSide-by-side comparison of legitmate and bogus bank sites
+2more